Speaking as a Qubes user, I donāt realistically see any way to make a Salt formula sufficiently trustworthy other than (1) being able to understand it myself or (2) a verifiable signature from the core Qubes team.
The problem with (1) is that Salt is extremely difficult to learn (at least it seems so to me; I once tried and didnāt make much progress). The problem with (2) is that it demands precious time from the core devs, especially Marek. Having Marek review every submitted Salt formula simply isnāt scalable.
If some weaker method is used, e.g., letting people rate Salt formulas on a five-star scale, then Iāll simply ignore this new Salt store and just keep using my own simple Bash scripts. Theyāve served me well enough throughout my years of using Qubes, and I donāt need anything fancy. If anything, Iām trying to simplify my computing dependencies, not make them more complex. Likewise, if the Salt formulas were reviewed by non-Qubes-core security experts, Iād take a pass, since the risks associated with increasing my circle of trust outstrip the potential benefits Iād gain. To paraphrase Buffett, Iād be risking something I have and need for something I donāt have and donāt need, and thatād be foolish.
Iāve been a little preoccupied elsewhere.
Andrew said:
- Salt is extremely difficult to learn
- Any store or distribution mechanism would require verifiable signature from core team.
On the first, I think it isnāt, at least in Qubes. The basic mechanisms
are no harder to understand than use of qvm-
tools. I have notes at
GitHub - unman/notes which aim to make use in Qubes simple,
and Gonzalo has written an introduction.
In any case, the point is that end users wouldnāt have to understand
salt to get particular configurations on their machines, any more than
they need to understand salt to provision the machine on start up or to
run updates.
To make an obvious point, users seem quite content to run arbitrary
bash scripts when they clearly donāt understand what the effects are.
This should be better than that.
Agreed Marek shouldnāt be adding to his current 48 hr/day workload. But
because Salt states and formulae are straightforward, they donāt take a
huge amount of scrutiny. Iām tempted to say that if you cant
understand a salt state at first sight itās not well written.
Iāll be putting a repository online in the next few days with assorted
packages aimed at generating outcomes as poc.
Itās already true that there are packages in the main repositories that
users arenāt aware of, and rather than creating a store, adapting apper
in dom0 to make it easy to find those packages (salt or not) would be a
further step away from the command line.