Re: P2P Guix package building and distribution

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: P2P Guix package building and distribution

From:	Samuel Christie
Subject:	Re: P2P Guix package building and distribution
Date:	Thu, 22 Aug 2024 17:57:36 -0400
User-agent:	Gnus/5.13 (Gnus v5.13)

Andreas Enge <andreas@enge.fr> writes:

Am Wed, Aug 21, 2024 at 06:07:58PM -0400 schrieb ChristineLemmer-Webber:
Okay, but what if instead I had the option to downloadsomething signed off by *all of* the MegaCloud build serviceand two "Guix Builders", and they all came to the same hash?
Would this not suppose that all these build instances arecompletely disjoint from each other (like bordeaux or ci), andthus will have to build everything from scratch? Since if a"Guix Builder" uses a MegaCloud input, every build from then onis no more secure than a MegaCloud build.

Yes; every step needs to be validated to ensure the final resultis correct. That doesn't mean all builders need to validate thefull tree, just one non-colluding party for each output.

Maybe one solution is to have the community perform the primarybuilds, with "official" builders arbitrating when there's adisagreement over the hash. As long as each package is built by atleast one non-colluding peer, any deviations will be caught. Thiswould be simpler than a full consensus protocol, but still avoidmost conflicts and ensure correctness. Repeat offenders shouldeventually be ignored or banned somehow, but in the worst case itdevolves to the system we have now of official servers buildingeverything.

Given the effort (in money and administrators' time) to run onebuild farm, it does not look realistic that several people starttheir own build farm at home.

Ideally, the software would be as simple as turning on a serviceto participate. And they shouldn't have to be "full" build farms,just share some of the load.


Since packages are already built locally if no substitutes are
available, it might be interesting to simply let the first few computers
that install the package build and share it. Then only ~2 people have to
build new packages (for minimal verification) instead of making everyone
do it until an official substitute exists.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Sustainable funding and maintenance for our infrastructure, Marek Paśnikowski, 2024/08/05
- Re: Sustainable funding and maintenance for our infrastructure, Jonathan Frederickson, 2024/08/12
  - Re: Sustainable funding and maintenance for our infrastructure, Sergio Pastor Pérez, 2024/08/13
    - Re: Sustainable funding and maintenance for our infrastructure, Jonathan Frederickson, 2024/08/13
    - Re: Sustainable funding and maintenance for our infrastructure, Felix Lechner, 2024/08/14
    - Re: Sustainable funding and maintenance for our infrastructure, Jonathan Frederickson, 2024/08/24
    - P2P Guix package building and distribution, Christine Lemmer-Webber, 2024/08/21
    - Re: P2P Guix package building and distribution, Andreas Enge, 2024/08/22
    - Re: P2P Guix package building and distribution, Samuel Christie <=

Prev by Date: Missing ld from the aarch64 go-build-system environment when building a go package
Next by Date: Re: Cookbook recipe from "The Repository as a Channel" section does not work for Guix with properly configured GUILE_LOAD_PATH
Previous by thread: Re: P2P Guix package building and distribution
Next by thread: Re: Indication of build failure from substitute servers?
Index(es):
- Date
- Thread