Providing/Submitting substitutes

Providing/Submitting substitutes

[phodina via]

Hi,

is there a way how to submit built packages to the official substitution server?

My point here is I wanted to install ungoogled-chromium-
96.0.4664.93-1 on my x86_64 machine and unfortunately it was not available [1]. Therefore I built it on more powerful machine and shared the outputs of the derivation.

However, since I already built the browser and it took several hours I'd like to provide it also to other people.

Is there a way to submit the outputs of derivation to the official substitution server or the only way would be to make public my substitution server?

I do understand that accepting the derivation outputs also involves trusting the other party. Correct me if I'm wrong but can't this be solved be verified by using guix challenge?
[1] http://ci.guix.gnu.org/search?query=ungoogled-chromium

----
Petr

Re: Providing/Submitting substitutes

[Tobias Geerinckx-Rice]

[-- Attachment #1: Type: text/plain, Size: 1727 bytes --]

Petr,

phodina via 写道：
> However, since I already built the browser and it took several 
> hours
> I'd like to provide it also to other people.

That's very considerate of you.  Thank you!

> Is there a way to submit the outputs of derivation to the 
> official
> substitution server or the only way would be to make public my
> substitution server?

I'm afraid so (the latter).  As you mention, this would require 
trusting the other party but to an unreasonably degree: the 
ability to redistribute arbitrary binaries, signed by the project, 
to all Guix users.

That said, if your substitution server has decent uptime, traffic, 
and a public IP, nothing's stopping you from putting up a 
disclaimer page (like guix.tobias.gr… or better) and serving your 
substitutes to others.

Adding the guix publish service is trivial, about as much work as 
typing ‘guix archive --export’ once, and is a one-time effort!

</promo>

> Correct me if I'm wrong but can't this be solved be verified by
> using guix challenge?

In this case, I don't see how.  Guix challenge is a valuable tool 
but to use it in this way requires a fundamentally trusted party 
(e.g., you, or say, bordeaux.guix.gnu.org) to be distributing 
their own independently-built copy.

If that were the case you wouldn't have had to build it yourself. 
So it could be used after the fact, or for general ‘hm, this is 
interesting’ flagging for further research, and that's not good 
enough here.  Copies would have been distributed by then.

Challenges between 2 supposedly independent unofficial substitute 
providers would be quite vulnerable to various kinds of 
subversion.

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

Re: Providing/Submitting substitutes

[phodina]

Hi Tobias,

> Petr,
>
> phodina via 写道：
>
> > However, since I already built the browser and it took several > hours
> >
> > I'd like to provide it also to other people.
>
> That's very considerate of you. Thank you!

My thanks go to all contributors of Guix for creating such amazing project!

>
> > Is there a way to submit the outputs of derivation to the > official
> >
> > substitution server or the only way would be to make public my
> >
> > substitution server?
>
> I'm afraid so (the latter). As you mention, this would require trusting the other party but to an unreasonably degree: the ability to redistribute arbitrary binaries, signed by the project, to all Guix users.

I was afraid so. However, that is understandable as security and trust would have to be sacrificed and it would open a large vector of attack against Guix users.
>
> That said, if your substitution server has decent uptime, traffic, and a public IP, nothing's stopping you from putting up a disclaimer page (like guix.tobias.gr… or better) and serving your substitutes to others.

I do have a VPS server currently running NixOS as this was the first system with the different concepts. Though, I'm now creating a patch for the provider [1] in order to run Guix System there. It has decent storage, performance and network connectivity.

>
> Adding the guix publish service is trivial, about as much work as typing ‘guix archive --export’ once, and is a one-time effort!
>
> </promo>

No need for the promo, I want to run a substitution server (figure out how to do it correctly and securely) as otherwise this machine is sitting there mostly idle.

>
> > Correct me if I'm wrong but can't this be solved be verified by
> >
> > using guix challenge?
>
> In this case, I don't see how. Guix challenge is a valuable tool but to use it in this way requires a fundamentally trusted party (e.g., you, or say, bordeaux.guix.gnu.org) to be distributing their own independently-built copy.

>
> If that were the case you wouldn't have had to build it yourself. So it could be used after the fact, or for general ‘hm, this is interesting’ flagging for further research, and that's not good enough here. Copies would have been distributed by then.
>
> Challenges between 2 supposedly independent unofficial substitute providers would be quite vulnerable to various kinds of subversion.
>
> Kind regards,
>
> T G-R

Thanks for the explanation. If I understand this correctly than it basically
boils down to trusting the parties themselves.

----
Petr

[1] https://vpsfree.cz