Extending cloud build systems to eliminate transitive trust

Me and my co-authors have submitted this paper for publication at SCORED '24 and it got accepted. :partying_face::tada:

Like all submissions it is still part of a shepherding process until September 1st.
Until then we will still do some polishing and make a few changes that were requested by the anonymous reviewers and shepherd, who I am told will avoid this thread until after publication.

I wanted to use the remaining time as an opportunity to also ask for honest feedback from the Nix community, so if you’re interested feel free to take a look at the current draft of the paper and share/discuss your thoughts here.

While this is a scientific paper, we wrote it with the Nix community in mind and with the hope that it might have positive impact on the understanding and further development of Nix and other cloud build systems, which is why we care about your feedback. Please be aware that at the same time we cannot promise to actually incorporate your feedback, since the audience for the paper is much wider (though probably smaller) than the Nix community by itself and there are limits to what we can actually change in roughly two weeks.

If there is something you would prefer to say in private, you can find my email address in the PDF, and I think you can also DM me on here.

7 Likes

The paper successfully got through the shepherding process, but the deadline by the publisher has changed, so I’m still happy to hear feedback.

I’ve also updated the link with a more recent version a few days ago. :smile:

1 Like

This has been published now! :partying_face: :tada: The published version is publicly available at the following link: Extending Cloud Build Systems to Eliminate Transitive Trust | Proceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses.

You can also watch NixCon talk about it here: https://youtu.be/UlJUpUQc9Lc

5 Likes