From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id YOa5BM3ie2FXDwEAgWs5BA (envelope-from ) for ; Fri, 29 Oct 2021 14:02:21 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 4L16AM3ie2GTZQAAB5/wlQ (envelope-from ) for ; Fri, 29 Oct 2021 12:02:21 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1F83F7D43 for ; Fri, 29 Oct 2021 14:02:20 +0200 (CEST) Received: from localhost ([::1]:39802 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mgQaR-00007n-7s for larch@yhetil.org; Fri, 29 Oct 2021 08:02:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41292) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mgQZW-00005t-P6 for guix-devel@gnu.org; Fri, 29 Oct 2021 08:01:24 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:57434) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mgQZU-0001Ez-Qb; Fri, 29 Oct 2021 08:01:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=r+puoLZLQe8+Cup3zF99rhs98RTJQAPLamvaKCIs9PE=; b=pFRVL6g4PxViUN6hr4tr BmB2Rp55q3ePHGWv4018ksRaGB36IC/ngKEW3fyToaW5OmusZ9oDAhK3+7qHGzF5NAJNjE4rPoFL9 jcVbKsP24oXrW4bWLwt+SNPCYQhqP12cqm+Qy4X2gjxAXTImGniDwdlZASJzU2V+BMGCeF/tkyjcl c86lasji25GKprvkQqX2n3K0hPOyfo47Dk0uXTt5ASlVgnCB1OqOOGS3YUS/Sgt5JB4tI7hvy4yvU j321as35rxr91T0cU5Hw7Q0tcrvwd2H2KFiANeq8FIfM7h4oVPe0xNcr8OzKr+hH/Goyyhooif/CI k82jumKxVEdnOQ==; Received: from [193.50.110.158] (port=55566 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mgQZU-0000tx-CI; Fri, 29 Oct 2021 08:01:20 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Tobias Geerinckx-Rice Subject: Re: Public guix offload server References: <878rynh0yq.fsf@systemreboot.net> <87cznz74l5.fsf@nckx> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 8 Brumaire an 230 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Fri, 29 Oct 2021 14:01:17 +0200 In-Reply-To: <87cznz74l5.fsf@nckx> (Tobias Geerinckx-Rice's message of "Wed, 20 Oct 2021 23:06:05 +0200") Message-ID: <87o8782g6q.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1635508940; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=r+puoLZLQe8+Cup3zF99rhs98RTJQAPLamvaKCIs9PE=; b=jT5KiM6OjYj8fWeONi5B8O+0jl8NbG+ywDdKik0wbgk0aUnux3b92ZYbUh8tPaegIEJPon Dgb0r3n4IThuYzdQ4aS5Awns70sSmSxvAELLkj8F/daSuu6gwM+XA0QVQFRRWLGbHiikW4 ZAmXGEQI14LSGo/7cQt8K+lOlLr2+WPJCTHl5Y08hqgoKZyGjIJmRwZ/0mpg6cI0VYICKC aifgExAdj4T4SSxB/HyeZ7myQqhCpJC+h1E1gvrzFRXsEXnxfwj24RrAwxvjKLDUR0k1MC wbYowZ29gq+d9heB/lqiopyzqdY9sXuMArkJRzhwdvqEkeV1SDJEbPCiPBpvXg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1635508940; a=rsa-sha256; cv=none; b=pQVh3af04pH2pAvj+RaLESkEjdSgsQTmHV14YX8xAb1SqVIOCFhVudkfzeOs8gOxcmzpfg g/kgDWYLnN+Xl0l7r+quUK/bCW/x0WJKdbwhPM2jK8Pi9k9G0klTR9hiAHZmP5cHK/jGgZ ItfV04XqQjARsuFhMih6vuvJt1OIegiWFbM4UdBg3YFbWoUKI8T72pjMqFgb5kldlCax8+ Y2WPIyN3XFggLR9593j/McPjU6JJOiQB/lUZo/UrOgLxXHBrcCKhIK9+kGhFG/96X8ncY0 3102fwauV0vTUy5J5hZiJfgOc111qZW8xpCy8KhcI5Zqvk9IG7BmN+jrj+XwvQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gnu.org header.s=fencepost-gnu-org header.b=pFRVL6g4; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.12 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gnu.org header.s=fencepost-gnu-org header.b=pFRVL6g4; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 1F83F7D43 X-Spam-Score: -3.12 X-Migadu-Scanner: scn0.migadu.com X-TUID: w9MikvfCdt+Z Hi, Tobias Geerinckx-Rice skribis: > Arun Isaac =E5=86=99=E9=81=93=EF=BC=9A [...] >> Currently, guix offload requires mutual trust between the master >> and the build machines. If we could make the trust only one-way, >> security might be less of an issue. > > It might! It's easy to imagine a second, less powerful offload > protocol where clients can submit only derivations to be built by=20 > the remote daemon, plus fixed-output derivations. One thing that does not require mutual trust, roughly like you describe is: GUIX_DAEMON_SOCKET=3Dssh://guix.example.org guix build =E2=80=A6 We could have an HTTP bridge and that=E2=80=99d be workable. It could be j= ust streaming the daemon RPCs as-is on websockets, or defining an HTTP API for each useful RPC. Perhaps some of this can be also addressed with the Guix Build Coordinator, which already provides an HTTP API, although a higher-level one. Chris? >> WDYT? How does everyone else handle big builds? Do you have access >> to >> powerful workstations? I have a 4-core Intel i7 laptop, which is okay for many things, and I also have access to a couple of 32-core machines when I need to test bigger builds like GCC. And then there=E2=80=99s waiting for ci.guix feedb= ack. Ludo=E2=80=99.