Hi, Tobias Geerinckx-Rice <m...@tobias.gr> skribis:
> Arun Isaac 写道: [...] >> Currently, guix offload requires mutual trust between the master >> and the build machines. If we could make the trust only one-way, >> security might be less of an issue. > > It might! It's easy to imagine a second, less powerful offload > protocol where clients can submit only derivations to be built by > the remote daemon, plus fixed-output derivations. One thing that does not require mutual trust, roughly like you describe is: GUIX_DAEMON_SOCKET=ssh://guix.example.org guix build … We could have an HTTP bridge and that’d be workable. It could be just streaming the daemon RPCs as-is on websockets, or defining an HTTP API for each useful RPC. Perhaps some of this can be also addressed with the Guix Build Coordinator, which already provides an HTTP API, although a higher-level one. Chris? >> WDYT? How does everyone else handle big builds? Do you have access >> to >> powerful workstations? I have a 4-core Intel i7 laptop, which is okay for many things, and I also have access to a couple of 32-core machines when I need to test bigger builds like GCC. And then there’s waiting for ci.guix feedback. Ludo’.
