From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id ENj7LyHScWHCdAEAgWs5BA (envelope-from ) for ; Thu, 21 Oct 2021 22:48:33 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id GB+EKyHScWH7GAAAbx9fmQ (envelope-from ) for ; Thu, 21 Oct 2021 20:48:33 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8A8AB6405 for ; Thu, 21 Oct 2021 22:48:33 +0200 (CEST) Received: from localhost ([::1]:60578 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mdezI-0006Ho-OU for larch@yhetil.org; Thu, 21 Oct 2021 16:48:32 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39450) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mdebZ-0008CG-G9 for guix-devel@gnu.org; Thu, 21 Oct 2021 16:24:01 -0400 Received: from mugam.systemreboot.net ([139.59.75.54]:39050) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mdebU-0005wl-D2 for guix-devel@gnu.org; Thu, 21 Oct 2021 16:24:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=UOyTWgHvD3bxjSeevfOeNeCDFuCJ14zMKDg55k8UOds=; b=qYxVhWotF/M13r5U6+j7jbeedB 4dV1n0m2TNMzCRyMl+onueYJoKk3N3d+w7HNKFpMjXHtLKanvpJiPo7KJ+dslcBlNLGQDwoabSSte e40bPliVJZuH8Q0Axu/5+lYEW1DKByRFTbHTCkGYT/TRG/OT51E7y8qCmSBgcQVqZ9axM0rKv4zAi kgBkfkJDIMyGJH3ks9/POlxerjH06fUZNY1OI6B3D5nsy8s3xwX5ZUwYgTKpSnxb+b4UD+KGl0+z1 AcjDbWEk4S4Q5ZoyUHYki7LX/J6+BpXhXCmHpnoxzRiB4W+cHAvCb+boGDJd7fjEh6X2hsHj3DsEm MWUwMQww==; Received: from [192.168.2.1] (port=13610 helo=steel) by systemreboot.net with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mdebN-000P1m-Eh; Fri, 22 Oct 2021 01:53:49 +0530 From: Arun Isaac To: Tobias Geerinckx-Rice Subject: Re: Public guix offload server In-Reply-To: <87cznz74l5.fsf@nckx> References: <878rynh0yq.fsf@systemreboot.net> <87cznz74l5.fsf@nckx> Date: Fri, 22 Oct 2021 01:53:44 +0530 Message-ID: <87lf2mazzj.fsf@systemreboot.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=139.59.75.54; envelope-from=arunisaac@systemreboot.net; helo=mugam.systemreboot.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1634849313; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=UOyTWgHvD3bxjSeevfOeNeCDFuCJ14zMKDg55k8UOds=; b=AQXPUCd1+RYdK1PC4KmCWQV2oDYQ8hhZrY2ycpMwODCFKVe3iKHashix9C+9Jrao17k62S 3T4KOImVUu/6hsHvH0FemED+HG/Hf9ZygbleLOflvyqMGpIfv+TrFqDc/UCYWoYJCi3iy+ vCMahURKEGa/8kfWMv46g11F7+/C/LuH2VH608HI7r4B1swUjV5uiFYGKplg55qruqO6DR EZOHhvt1UMevLx8TQVbEmUN3O03J2prrG5GCDIaP5tbTyk/9zy7AVPsHgaPNjHqcvTC2ps V67hQ81JZX1yUrriECqbWZ3YVN3mpmcW4JbftbWu+cXljMEVUC0E8i6VjRHvgQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634849313; a=rsa-sha256; cv=none; b=Kvxb++ExHI9M/QUfSXsDdQk/zo/T6SNuosUuq8mt6wpv/cg4fusdp8/2c/U0GIsijSmwbK k5vKpEdKAxwjMg72NAbgVgJV9Tg4NbG7gtWEwOSzDuNs5FOHsBiOam6shezRJ5F7typhzD jumMlrdBEDY8Fq/po/p7Dr1zzTXy3ApEP3CgWy1u+yxLERFywrRlZ+jkwLz6HZJk9rBTod ilVjbtkNKI0ZSnPuYVo8d6LnYv+Bh5CTwNrN3ukCdW0y4DhYHc0qgAwJrtzsgGDsxFVfNt TLDnosBDJs0DyhAPmKSHReSBPFfn3hiJJ7ycfVN/wMfn4cjtZ89iiQ48jxLmBw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=systemreboot.net header.s=default header.b=qYxVhWot; dmarc=fail reason="SPF not aligned (relaxed)" header.from=systemreboot.net (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.43 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=systemreboot.net header.s=default header.b=qYxVhWot; dmarc=fail reason="SPF not aligned (relaxed)" header.from=systemreboot.net (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 8A8AB6405 X-Spam-Score: -3.43 X-Migadu-Scanner: scn0.migadu.com X-TUID: NNnWTR5VFycr --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi, >> Currently, guix offload requires mutual trust between the master and >> the build machines. If we could make the trust only one-way, security >> might be less of an issue. > > It might! It's easy to imagine a second, less powerful offload > protocol where clients can submit only derivations to be built by the > remote daemon, plus fixed-output derivations. None of the =E2=80=98let me > send the entire binary toolchain so you don't have to build it from > scratch=E2=80=99 of the current protocol. This at least removes their co= ntrol > over the source hash. I just realized we might already have something close to this second, less powerful offload protocol that needs only one-way trust. According to the NEWS file, since Guix 0.13.0, the GUIX_DAEMON_SOCKET environment variable lets us specify remote daemons. See "(guix) The Store" in the manual for detailed documentation. The only thing missing is some way to retrieve the built output from the remote store. Regards, Arun --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFPBAEBCAA5FiEEf3MDQ/Lwnzx3v3nTLiXui2GAK7MFAmFxzFAbHGFydW5pc2Fh Y0BzeXN0ZW1yZWJvb3QubmV0AAoJEC4l7othgCuz7z8IAMa3lvbM6G8JNLODtbSO aDqDZtjMYv4DnL/AWguk1Dcysgfd2btPJosA/WB9dCJMJqg9KCNlX+elNgEKo5Eb fukRzK9hjxT6FMbKxD0feHErpSncTyFk/jyu7xSchYhTOlB/o9E0weAANStlZfP7 SZobqjgCjOmFW5+6uyhowRFTE3LCpDw2i/++9y+I0M9lGYYMV5VfYIufM+iPyTK1 rQfokO8HILrKYnVU5G4eofPudGSA872CRTXa+lb5l8jJLoK3RQpFvkbVgPrimO55 oKf2I6iGbdzEuJ/H1WbbqPRKtE/PF6Ye9tfv9IrVFaPAr3SJvMMxbR0AnCISo7wL hY0= =awR9 -----END PGP SIGNATURE----- --=-=-=--