From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: Re: Guix support in cachix Date: Wed, 04 Jul 2018 16:17:35 +0200 Message-ID: <87in5v84qo.fsf@fastmail.com> References: <871sck463k.fsf@gmail.com> <87h8lgf0o3.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:37359) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1faibN-0007hk-Ay for guix-devel@gnu.org; Wed, 04 Jul 2018 10:17:50 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1faibJ-0000b5-4T for guix-devel@gnu.org; Wed, 04 Jul 2018 10:17:49 -0400 In-Reply-To: <87h8lgf0o3.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?utf-8?Q?Court=C3=A8s?= , Oleg Pykhalov Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable ludo@gnu.org (Ludovic Court=C3=A8s) writes: > Hello! > > Oleg Pykhalov skribis: > >> Domen Ko=C5=BEar recently was in #guix (IRC) 2 days ago a= sking >> about support of Guix in cachix. Also he opened an issue on GitHub: >> >>> I'm opening this issue for interest around supporting Guix. >> >> [1] https://github.com/cachix/cachix/issues/85 > > Cachix looks interesting! It=E2=80=99s good to collaboratively provide > binaries. It=E2=80=99s easier than having everyone set up =E2=80=98guix = publish=E2=80=99, at > the cost of being more centralized. > > The =E2=80=9Ccachix use =E2=80=9D example on https://cachix.org/ gl= osses over > security =E2=80=9Cdetails=E2=80=9D though. I wonder how one gets to auth= enticate a > particular user of Cachix and to authorize binaries coming from them. > There=E2=80=99s also the issue that said user could be publishing binarie= s they > themselves obtained from a source that you do not trust yourself. Tough > issues! I asked about discovering signing keys and apparently you'll find it at https://.cachix.net, and that's the substitute URL too. It looks useful for those who don't want to or can't publish their own substitutes. And `guix challenge` makes it easy to verify the builds coming from a particular "channel". I would not want to publish all my builds there, though. Not sure how it would be integrated on the client side. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAls81v8ACgkQoqBt8qM6 VPrPBAf/fHSM0KoH3sWjZwqAPkEY9akxTk+vW7IgesMSoyEOVMkvjI449TIIE4lt L3kugBrgrI9lQvkKluh3U+wz/Rl1UuKjgHVXtGdB7C+04oDZoqoBFUE++/4dF9pj Y1JXV8q3zFZo5QXB8LxyLraLiYBZC+sNsoa5UwH4DrVlexrhD2cv6S4Otw+PMgFx PIJoFBV8493JLKk+kZqyDYAUAhvReZgSn/jjCSsLmxC9lEysJzlScOowfYGYmwRF GCvYU3rYTICNcQXtrSRx6aA0H6zNLk0BFMZa7Cpa6eCKjDg4rZkwxxaXdON520MQ UjQUiQtNxibH2vw9BP0XnMAsgbaHGA== =JlcR -----END PGP SIGNATURE----- --=-=-=--