Matthew GarrettI want a spec for providing metadata defining which artifacts should go into a build and how to build it, and multiple implementations of that spec, and the ability to deploy different implementations to different cloud vendors using SEV to attest to the boot state, and then verify that all these different implementations in different environments generate identical outputs so we can avoid having to place arbitrary trust in our build systems
penguin42@mjg59 So, if, you were using any standard package manager and build system, and hypothetically, you managed to get a cloud VM to boot into a SEV VM that was trustworthy, and you had got around to some external attestation service, that attestation service could deliver a key to the VM, so that the standard package system could then sign it's built package with a key traceable pack to your attestation system. Who does the comparison to see if 2 produce the same result is even harder.
Arvid E. Picciani@penguin42 @mjg59 why would you care if the outputs are the same if you know the environment was safe? (Assuming no attacks on SNP exist, oops oh well)
@penguin42 @mjg59 yeah but it's a lot of work 😄