Ludovic Courtès schreef op ma 11-04-2022 om 11:48 [+0200]:
> >    * bonus: except possibly for the secret key material, "guix
> > publish"
> >      does not have to be started  as root anymore even if uses a
> >      reserved port such as port 80 (assuming socket activation is
> > used).
> 
> But it does need to access the secret key…

The ‘guix publish’ could be run as a separate, say, guix-publish user,
and the secret key could be made readable to guix-publish.

Alternatively, the shepherd could open the secret key file on behalf of
‘guix publish’ and send it together with the listening socket to ‘guix
publish’.

Greetings,
Maxime.