Hi Simon,

zimoun 写道：
> If I understand correctly, if a committer offloads to say Berlin 
> or
> Bayfront, your concern is that the output will be in the 
> publicly
> exposed store.  Right?

No, that would be far worse.  I'm considering only a ‘private’ 
offload server shared by several trusted users, where one 
compromised (whether technically or mentally :-) user can easily 
‘infect’ other contributors in a way that's very hard to detect. 
‘Trusting trust’ comes to mind.

> For instance, one could imagine a dedicated VM for all the 
> committers
> who require some CPU power.

Right, that's what I'm describing in my previous mail.

Now, we could spin up a separate VM for each user, and just take 
the efficiency hit…  Users would be safe from anything but 
VM-escape exploits (which exist but are rare).

> A minimal job submission API with token would be ideal, IMHO. 
> But it
> falls into:
>
>         Now is better than never.
>         Although never is often better than *right* now.
>
>                                     – python -c 'import this' –

What does this mean?

Kind regards,

T G-R