From: phodina <phodina@protonmail.com>
To: Tobias Geerinckx-Rice <me@tobias.gr>
Cc: help-guix@gnu.org
Subject: Re: Providing/Submitting substitutes
Date: Wed, 22 Dec 2021 11:59:08 +0000 [thread overview]
Message-ID: <IKsBpL1kLWomldv6S0OK7L7cpWQXyqetLYZKvIFMNl1MBadUoQrfpTEheBspk6ZHKZYjzSYc2PvJFRCEmdWH3RnhA6AodSaF4WmDOIZ1j_A=@protonmail.com> (raw)
In-Reply-To: <87o85ga6cv.fsf@nckx>
Hi Tobias,
> Petr,
>
> phodina via 写道:
>
> > However, since I already built the browser and it took several > hours
> >
> > I'd like to provide it also to other people.
>
> That's very considerate of you. Thank you!
My thanks go to all contributors of Guix for creating such amazing project!
>
> > Is there a way to submit the outputs of derivation to the > official
> >
> > substitution server or the only way would be to make public my
> >
> > substitution server?
>
> I'm afraid so (the latter). As you mention, this would require trusting the other party but to an unreasonably degree: the ability to redistribute arbitrary binaries, signed by the project, to all Guix users.
I was afraid so. However, that is understandable as security and trust would have to be sacrificed and it would open a large vector of attack against Guix users.
>
> That said, if your substitution server has decent uptime, traffic, and a public IP, nothing's stopping you from putting up a disclaimer page (like guix.tobias.gr… or better) and serving your substitutes to others.
I do have a VPS server currently running NixOS as this was the first system with the different concepts. Though, I'm now creating a patch for the provider [1] in order to run Guix System there. It has decent storage, performance and network connectivity.
>
> Adding the guix publish service is trivial, about as much work as typing ‘guix archive --export’ once, and is a one-time effort!
>
> </promo>
No need for the promo, I want to run a substitution server (figure out how to do it correctly and securely) as otherwise this machine is sitting there mostly idle.
>
> > Correct me if I'm wrong but can't this be solved be verified by
> >
> > using guix challenge?
>
> In this case, I don't see how. Guix challenge is a valuable tool but to use it in this way requires a fundamentally trusted party (e.g., you, or say, bordeaux.guix.gnu.org) to be distributing their own independently-built copy.
>
> If that were the case you wouldn't have had to build it yourself. So it could be used after the fact, or for general ‘hm, this is interesting’ flagging for further research, and that's not good enough here. Copies would have been distributed by then.
>
> Challenges between 2 supposedly independent unofficial substitute providers would be quite vulnerable to various kinds of subversion.
>
> Kind regards,
>
> T G-R
Thanks for the explanation. If I understand this correctly than it basically
boils down to trusting the parties themselves.
----
Petr
[1] https://vpsfree.cz
prev parent reply other threads:[~2021-12-22 11:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-16 15:19 Providing/Submitting substitutes phodina via
2021-12-16 15:42 ` Tobias Geerinckx-Rice
2021-12-22 11:59 ` phodina [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='IKsBpL1kLWomldv6S0OK7L7cpWQXyqetLYZKvIFMNl1MBadUoQrfpTEheBspk6ZHKZYjzSYc2PvJFRCEmdWH3RnhA6AodSaF4WmDOIZ1j_A=@protonmail.com' \
--to=phodina@protonmail.com \
--cc=help-guix@gnu.org \
--cc=me@tobias.gr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).