Re: Public guix offload server

[zimoun]

Hi Tobias,

I understand your point of view.

On Fri, 22 Oct 2021 at 00:16, Tobias Geerinckx-Rice <me@tobias.gr> wrote:

> Trusting people not to be evil is not the same as having to trust 
> the opsec habits of every single one of them.  Trust isn't 
> transitive.  Personally, I don't think a rogue zimoun will 
> suddenly decide to abuse us.  I think rogues will abuse zimoun the 
> very first chance they get.

>From my understanding, here is the net of our “disagreement”.

> That's not a matter of degree: it's a whole different threat 
> model, as is injecting arbitrary binaries vs. pushing malicious 
> code commits.  Both are bad news, but there's an order of 
> magnitude difference between the two.

And I miss the threat model about “injecting binaries” in the case of
shared offload.  Anyway. :-)

Let move forward and discuss another solution than the usual offload.

You pointed the idea «one might consider dropping SSH account-based
access in favour of a minimal job submission API, and just return the
results through guix publish or so…?  OTOH, that's yet another code
path.»

Imagine another Cuirass instance where any committer could add [1] their
own branch.  It would act as this minimal job submission API.

1: <https://ci.guix.gnu.org/specification/add/>

The questions are the authentication to this Cuirass instance and how
Cuirass deals with rebased branch (which would happen).

WDYT?


Cheers,
simon