Speaking as a Qubes user, I don’t realistically see any way to make a Salt formula sufficiently trustworthy other than (1) being able to understand it myself or (2) a verifiable signature from the core Qubes team.
The problem with (1) is that Salt is extremely difficult to learn (at least it seems so to me; I once tried and didn’t make much progress). The problem with (2) is that it demands precious time from the core devs, especially Marek. Having Marek review every submitted Salt formula simply isn’t scalable.
If some weaker method is used, e.g., letting people rate Salt formulas on a five-star scale, then I’ll simply ignore this new Salt store and just keep using my own simple Bash scripts. They’ve served me well enough throughout my years of using Qubes, and I don’t need anything fancy. If anything, I’m trying to simplify my computing dependencies, not make them more complex. Likewise, if the Salt formulas were reviewed by non-Qubes-core security experts, I’d take a pass, since the risks associated with increasing my circle of trust outstrip the potential benefits I’d gain. To paraphrase Buffett, I’d be risking something I have and need for something I don’t have and don’t need, and that’d be foolish.
I’ve been a little preoccupied elsewhere.
Andrew said:
- Salt is extremely difficult to learn
- Any store or distribution mechanism would require verifiable signature from core team.
On the first, I think it isn’t, at least in Qubes. The basic mechanisms
are no harder to understand than use of qvm-
tools. I have notes at
GitHub - unman/notes which aim to make use in Qubes simple,
and Gonzalo has written an introduction.
In any case, the point is that end users wouldn’t have to understand
salt to get particular configurations on their machines, any more than
they need to understand salt to provision the machine on start up or to
run updates.
To make an obvious point, users seem quite content to run arbitrary
bash scripts when they clearly don’t understand what the effects are.
This should be better than that.
Agreed Marek shouldn’t be adding to his current 48 hr/day workload. But
because Salt states and formulae are straightforward, they don’t take a
huge amount of scrutiny. I’m tempted to say that if you cant
understand a salt state at first sight it’s not well written.
I’ll be putting a repository online in the next few days with assorted
packages aimed at generating outcomes as poc.
It’s already true that there are packages in the main repositories that
users aren’t aware of, and rather than creating a store, adapting apper
in dom0 to make it easy to find those packages (salt or not) would be a
further step away from the command line.