June 11, 2022 4:00 PM, "Maxime Devos" <maximede...@telenet.be> wrote:
> jbra...@dismail.de schreef op za 11-06-2022 om 16:06 [+0000]: > >> What's good and/or bad about this idea? > > A positive point: extra resources, could be useful for reproducibility > testing, ...? That's actually a good idea. I could give limited ssh access to a few guix developers. Those guix developers could use my old and hopefully more powerful machines to quickly compile software. Rust takes ages to compile... > > A negative point: extra points through with malware can be introduced > (->compromises). Can be solved by reproducible builds and variation of > "guix challenge". Unfortunately, "guix challenge" is inherently racy. > "guix substitute" currently only checks that the narinfo has a _single_ > authorised signature, maybe it can be adjusted to allow the user to > ask: ‘only consider a substitute to be authorised if the same hash is > signed by N different authorised keys’? > Thanks for the feedback. We could also use the machines as a mirror or an additional substitute server. > Other points: ...? > > Greetings, > Maxime.
