[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Secure GNU Guix offloading
From: |
Ludovic Courtès |
Subject: |
Re: Secure GNU Guix offloading |
Date: |
Tue, 30 Mar 2021 10:26:44 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
Hi!
Léo Le Bouter <lle-bout@zaclys.net> skribis:
> I don't want to give more access than what SSH non-root access would
> give, and I think it would be possible to do something helpful in GNU
> Guix offloading so it can work even without the offload machine
> trusting the client's store public signing key.
One possibility would be to give SSH access and nothing more. That
would allow hackers to run:
GUIX_DAEMON_SOCKET=ssh://leo.example.org guix build whatever
Users would still be able to retrieve build results from your machine
via ‘guix copy’ or an instance of ‘guix publish’ running on the machine.
HTH!
Ludo’.