[bug#44800] [PATCH v2 3/3] Use substitute servers on the local network.

[Mathieu Othacehe <othacehe@gnu.org>]

Hey,

> How about ‘--discover-substitute-servers’ or ‘--discover-substitutes’ or
> even ‘--discover’?

"--discover" seems nice.

> I think we need a note about the performance, security, and privacy
> implications of this here, namely:
>
>   0. It might be faster/less expensive than fetching from remote
>      servers; 
>
>   1. There are no security risks, only genuine substitutes will be used
>      (add cross-ref);
>
>   2. An attacker advertising ‘guix publish’ on your LAN cannot serve you
>      malicious binaries, but they can learn what software you’re
>      installing.
>
>   3. Servers may serve substitute over HTTP, unencrypted, so anyone on
>      the LAN can see what software you’re installing.

I added a variant of this snippet to the documentation.

> IWBN to have an action of the Shepherd service to turn it on and off;
> you might want to do that depending on how much you trust the LAN you’re
> on.  (That can come later though.)

Yup, I agree.

> Aren’t we partly duplicating what avahi-daemon’s already doing?
> avahi-daemon maintains a list of currently valid advertisements, which
> can be seen with:
>
>   avahi-browse --cache _workstation._tcp
>
> However, that cache first needs to be initialized by running the same
> command without ‘--cache’.  Hmm, maybe there’s no other choice.  I
> wonder how others deal with that.

If the local network machines are connected with multiple interfaces
such as Wifi and Ethernet, then the discovered services will appear
multiple times, regardless of the "cache" option I think.

Couldn't find any useful resources about that, someone maybe?

> Just set a variable local to this file and that’s enough.  You still
> need the second line so that (guix scripts substitute) knows whether it
> should read the thing.

Right, fixed.

> Imagine: you’re at GuixCon 2021, there are 500 participants all of which
> are running ‘guix publish --advertise’; every Guix operation leads to
> everyone’s Guix talking to every other person’s Guix, the whole thing
> gets slow as hell, 500 people staring at “updating list of substitutes”,
> 500 people eventually giving up and signing up for CONDACon.

Haha, that would be a shame. I limited the number of local substitute
servers to 50. Maybe that's too high. I think that we will be able to
fine tune this value once we have more experience with it. Deploying
this mechanism on berlin will probably help.

> Also, we must make sure ‘guix substitute’ gracefully handles disconnects
> and servers still advertised but no longer around (timeouts etc.)
>
> We’ll need real world tests to see how it behaves I think.  In the
> meantime, we can describe it as a technology preview™ in the manual.

Sure, I described this option as "experimental" in the
documentation. Regarding the disconnections and timeouts, there's
probably some work, but I think it's transverse to this development.

Pushed the whole patchset, taking your remarks into account. Thanks
again for reviewing.

Thanks,

Mathieu