Ludovic Courtès schreef op ma 11-04-2022 om 22:33 [+0200]:
> > Alternatively, the shepherd could open the secret key file on
> > behalf of
> > ‘guix publish’ and send it together with the listening socket to
> > ‘guix
> > publish’.
> 
> Sure, that’s feasible, but that’d require a custom protocol that I’d
> rather avoid.

I don't think it does, as long as we are using Shepherd and not SystemD
(I don't think that SystemD supports opening regular files instead of
sockets?), we could just 

  * extend 'endpoint->listening-socket' (in Shepherd) to allow opening
    regular files (and not only actual sockets)
  * in 'systemd-socket' (in (guix scripts publish)), expect two startup
    file descriptors instead of one startup file descriptor, and return
    both (the first one is the actual listening socket, the second one
    the secret key file)
  * modify 'guix-publish' appropriately
  * modify the guix-publish service to pass the file descriptor of the
    secret key file in addition to listening socket.

Greetings,
Maxime.