From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: armhf build machines Date: Wed, 09 Dec 2015 14:50:26 +0100 Message-ID: <871tavu3x9.fsf@gnu.org> References: <20151207111424.6297eea2@debian-netbook> <20151207103646.GA5390@debian.eduroam.u-bordeaux.fr> <20151207182817.GA24951@jasmine> <87bna1svy1.fsf@gnu.org> <87y4d5zips.fsf@netris.org> <87fuzc7tb4.fsf@gnu.org> <87zixkybl6.fsf@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41893) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a6f8c-0003fP-Lj for guix-devel@gnu.org; Wed, 09 Dec 2015 08:50:35 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1a6f8Z-0000jH-9a for guix-devel@gnu.org; Wed, 09 Dec 2015 08:50:34 -0500 In-Reply-To: <87zixkybl6.fsf@netris.org> (Mark H. Weaver's message of "Tue, 08 Dec 2015 14:39:01 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Mark H Weaver Cc: guix-devel@gnu.org Mark H Weaver skribis: > ludo@gnu.org (Ludovic Court=C3=A8s) writes: > >> Mark H Weaver skribis: >> >>> ludo@gnu.org (Ludovic Court=C3=A8s) writes: >>> >>>> Leo Famulari skribis: >>>> >>>>> What sort of machine would be appropriate for hydra? >>>> >>>> Something rather big: say 8+ cores, 16+G RAM, fast disk of 3T at least. >>> >>> I would also add that it should run Libreboot, for which the ASUS >>> KGPE-D16 is currently the best supported server-class motherboard. >> >> Right, I would prefer it as well; I hope we can find such rackable >> servers. >> >> If it turns out that all we can buy in practice is an ME-backdoored >> server, > > Under what set of circumstances would this be the case? I don=E2=80=99t know, I=E2=80=99m just showing my ignorance. :-) > The ASUS KGPE-D16 is widely available. It's even available > pre-flashed with Libreboot from minifree.org, the company run by > Francis Rowe, the creator of Libreboot. So that sounds perfect. Does it meet the other requirements above? (We discussed it a couple of times on IRC, but I admit I never took the time to learn more about what=E2=80=99s available.) >> I *might* be willing to take it, with the understanding that it >> would become less and less of a single point of trust (assuming more of >> our package builds become reproducible, and other users publish binaries >> as well.) > > If hydra is compromised, then its private key could be stolen and > facilitate targetted delivery of malicious binary substitutes to > individual users. The existence of other users who run 'guix challenge' > would not prevent that, afaict. > > Anyway, to my mind, the security issues are secondary. We should avoid > running non-free software wherever feasible. It is now fairly easy for > us to arrange for hydra.gnu.org to run 100% free software from the boot > firmware up. Given this, and our commitment to free software, I'm > surprised that we would not make this a priority. This is definitely important, and again, if the servers Francis=E2=80=99 co= mpany provides fit the bill, then go for it! Thanks for your feedback, Ludo=E2=80=99.