unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / Atom feed
From: "Léo Le Bouter" <lle-bout@zaclys.net>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel@gnu.org
Subject: Re: Secure GNU Guix offloading
Date: Sun, 04 Apr 2021 01:12:19 +0200	[thread overview]
Message-ID: <e51f5fd16670715e0865688d1a2bad6f80f0fcd3.camel@zaclys.net> (raw)
In-Reply-To: <87wntphwsb.fsf@gnu.org>

[-- Attachment #1: Type: text/plain, Size: 848 bytes --]

On Tue, 2021-03-30 at 10:26 +0200, Ludovic Courtès wrote:
> Hi!
> 
> Léo Le Bouter <lle-bout@zaclys.net> skribis:
> 
> > I don't want to give more access than what SSH non-root access
> > would
> > give, and I think it would be possible to do something helpful in
> > GNU
> > Guix offloading so it can work even without the offload machine
> > trusting the client's store public signing key.
> 
> One possibility would be to give SSH access and nothing more.  That
> would allow hackers to run:
> 
>   GUIX_DAEMON_SOCKET=ssh://leo.example.org guix build whatever
> 
> Users would still be able to retrieve build results from your machine
> via ‘guix copy’ or an instance of ‘guix publish’ running on the
> machine.
> 
> HTH!
> 
> Ludo’.

Thank you! I did not know setting daemon address over SSH was possible!

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

      reply	other threads:[~2021-04-03 23:12 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-23 13:46 Léo Le Bouter
2021-03-30  8:26 ` Ludovic Courtès
2021-04-03 23:12   ` Léo Le Bouter [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e51f5fd16670715e0865688d1a2bad6f80f0fcd3.camel@zaclys.net \
    --to=lle-bout@zaclys.net \
    --cc=guix-devel@gnu.org \
    --cc=ludo@gnu.org \
    --subject='Re: Secure GNU Guix offloading' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

unofficial mirror of guix-devel@gnu.org 

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://yhetil.org/guix-devel/0 guix-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 guix-devel guix-devel/ https://yhetil.org/guix-devel \
		guix-devel@gnu.org
	public-inbox-index guix-devel

Example config snippet for mirrors.
Newsgroups are available over NNTP:
	nntp://news.yhetil.org/yhetil.gnu.guix.devel
	nntp://news.gmane.io/gmane.comp.gnu.guix.devel


AGPL code for this site: git clone http://ou63pmih66umazou.onion/public-inbox.git