Tracking: Trust model for signed Rust / Rustup releases

[kinnison]

Once we have simplistic signature checking in place (#2028) we need to decide upon and deploy a more comprehensive trust model so that we're not doing the bare minimum to protect our users.

• Meeting between relevant parties (e.g. Sequoia-PGP team, Infra team, Rustup team, and DKG) to kick off a working group
• That working group to discuss and come up with a functional trust model which improves on the status quo
• Implementation of that trust model in rustup.

---

People who might be relevant to this are:

• @kinnison - Rustup
• @pietroalbini - Infra/Release
• @nwalfield - Sequoia PGP

Obviously we will not limit the wg to those, but that's a starting point.

[luser]

I'm curious as to what the desired end state would be here--just being able to trust that "yes, the binaries that rustup installed are the ones built by the Rust project" or something broader? With the Rust toolchain build being reproducible nowadays I would love to someday have a way for multiple parties to attest that they produced identical binaries from the same sources and a method for trust based on that.

[kinnison]

The goal is indeed to allow third parties to attest to the binaries distributed by rust-lang, and indeed to eventually permit other third parties to say "I will only install my toolchain when at least X independent parties I have identified have attested to the binary signatures"

[luser]

It's currently targeted at building Rust crates, but I think it'd be interesting to find out if synchronicity could be used for that:
https://github.com/iqlusioninc/synchronicity