On Tue, 2021-03-30 at 10:26 +0200, Ludovic Courtès wrote: > Hi! > > Léo Le Bouter skribis: > > > I don't want to give more access than what SSH non-root access > > would > > give, and I think it would be possible to do something helpful in > > GNU > > Guix offloading so it can work even without the offload machine > > trusting the client's store public signing key. > > One possibility would be to give SSH access and nothing more. That > would allow hackers to run: > > GUIX_DAEMON_SOCKET=ssh://leo.example.org guix build whatever > > Users would still be able to retrieve build results from your machine > via ‘guix copy’ or an instance of ‘guix publish’ running on the > machine. > > HTH! > > Ludo’. Thank you! I did not know setting daemon address over SSH was possible!