On Sat, Oct 14, 2017 at 03:23:45PM +0200, Ricardo Wurmus wrote:
> I don’t know.  Substitute sources have to authorized before downloaded
> substitutes are accepted by the daemon.  This authorization happens as
> the root user, as it constitutes a system-wide change.

I was thinking of situations where the subsitute signing key is
authorized, but substitutes are disabled system-wide.

I don't have a use case for this configuration but, to me, it doesn't
seem far-fetched for multi-user systems. Maybe the administrator is
willing to let users trust substitutes, but doesn't want to do it for
the privileged Guix installation.