[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: U.S. Midwest based build farm
From: |
Maxime Devos |
Subject: |
Re: U.S. Midwest based build farm |
Date: |
Sat, 11 Jun 2022 22:00:39 +0200 |
User-agent: |
Evolution 3.38.3-1 |
jbranso@dismail.de schreef op za 11-06-2022 om 16:06 [+0000]:
> What's good and/or bad about this idea?
A positive point: extra resources, could be useful for reproducibility
testing, ...?
A negative point: extra points through with malware can be introduced
(->compromises). Can be solved by reproducible builds and variation of
"guix challenge". Unfortunately, "guix challenge" is inherently racy.
"guix substitute" currently only checks that the narinfo has a _single_
authorised signature, maybe it can be adjusted to allow the user to
ask: ‘only consider a substitute to be authorised if the same hash is
signed by N different authorised keys’?
Other points: ...?
Greetings,
Maxime.
signature.asc
Description: This is a digitally signed message part