Hi,

>> Currently, guix offload requires mutual trust between the master and
>> the build machines. If we could make the trust only one-way, security
>> might be less of an issue.
>
> It might!  It's easy to imagine a second, less powerful offload
> protocol where clients can submit only derivations to be built by the
> remote daemon, plus fixed-output derivations.  None of the ‘let me
> send the entire binary toolchain so you don't have to build it from
> scratch’ of the current protocol.  This at least removes their control
> over the source hash.

I just realized we might already have something close to this second,
less powerful offload protocol that needs only one-way trust. According
to the NEWS file, since Guix 0.13.0, the GUIX_DAEMON_SOCKET environment
variable lets us specify remote daemons. See "(guix) The Store" in the
manual for detailed documentation. The only thing missing is some way to
retrieve the built output from the remote store.

Regards,
Arun