I personally have interest and I’m happy to take this question to the 2024-05-16 COMSEC meeting to figure out the groups interest.
From a security principles perspective I can already say that the way trust is defined is a top-down approach. For the scenario of caching this is the first set of questions that come to my mind (sorted top-to-bottom):
-
What trust guarantees are we aiming for?
e.g. how much vetting does a binary “require” to be allowed on our cache? -
What risks are we aiming to mitigate?
-
What constrains do we need to work around? e.g. storage/ compute/ bandwidth
-
How & where are we building software, e.g. dedicated buildfarm owned by auxolotl vs community provided build machines with diverse ownerships
-
Caching style: Centralized but redundant vs p2p - some possibilities have been described in Binary Cache thoughts
In top-down design processes making technology decisions happens rather late, because the non-technical goals need to be well enough understood to be able to qualify/disqualify a software.