Ludovic Courtès schreef op ma 11-04-2022 om 22:33 [+0200]:
> > Ludovic Courtès schreef op ma 11-04-2022 om 11:48 [+0200]:
> > > >    * bonus: except possibly for the secret key material, "guix
> > > > publish"
> > > >      does not have to be started  as root anymore even if uses
> > > > a
> > > >      reserved port such as port 80 (assuming socket activation
> > > > is
> > > > used).
> > > 
> > > But it does need to access the secret key…
> > 
> > The ‘guix publish’ could be run as a separate, say, guix-publish
> > user,
> > and the secret key could be made readable to guix-publish.
> 
> That doesn’t sound reasonable.

Why not?  ‘guix publish’ needs read access to the secret key anyway. 
Though then (if done with chown) ‘guix publish’ could modify the secret
key file, so maybe instead of making it ‘owned’ by the 'guix-publish'
user, maybe just set an ACL to allow read access from ‘guix-publish’
but not write access?

Though that seems to be more complex than just letting ‘guix publish’
open the file and change users by itself, so maybe not.

Greetings,
Maxime.