l...@gnu.org (Ludovic Courtès) writes: > Hello! > > Oleg Pykhalov <go.wig...@gmail.com> skribis: > >> Domen Kožar <do...@dev.si> recently was in #guix (IRC) 2 days ago asking >> about support of Guix in cachix. Also he opened an issue on GitHub: >> >>> I'm opening this issue for interest around supporting Guix. >> >> [1] https://github.com/cachix/cachix/issues/85 > > Cachix looks interesting! It’s good to collaboratively provide > binaries. It’s easier than having everyone set up ‘guix publish’, at > the cost of being more centralized. > > The “cachix use <name>” example on https://cachix.org/ glosses over > security “details” though. I wonder how one gets to authenticate a > particular user of Cachix and to authorize binaries coming from them. > There’s also the issue that said user could be publishing binaries they > themselves obtained from a source that you do not trust yourself. Tough > issues!
I asked about discovering signing keys and apparently you'll find it at https://<user>.cachix.net, and that's the substitute URL too. It looks useful for those who don't want to or can't publish their own substitutes. And `guix challenge` makes it easy to verify the builds coming from a particular "channel". I would not want to publish all my builds there, though. Not sure how it would be integrated on the client side.
signature.asc
Description: PGP signature
