[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Secure GNU Guix offloading
From: |
Léo Le Bouter |
Subject: |
Re: Secure GNU Guix offloading |
Date: |
Sun, 04 Apr 2021 01:12:19 +0200 |
User-agent: |
Evolution 3.34.2 |
On Tue, 2021-03-30 at 10:26 +0200, Ludovic Courtès wrote:
> Hi!
>
> Léo Le Bouter <lle-bout@zaclys.net> skribis:
>
> > I don't want to give more access than what SSH non-root access
> > would
> > give, and I think it would be possible to do something helpful in
> > GNU
> > Guix offloading so it can work even without the offload machine
> > trusting the client's store public signing key.
>
> One possibility would be to give SSH access and nothing more. That
> would allow hackers to run:
>
> GUIX_DAEMON_SOCKET=ssh://leo.example.org guix build whatever
>
> Users would still be able to retrieve build results from your machine
> via ‘guix copy’ or an instance of ‘guix publish’ running on the
> machine.
>
> HTH!
>
> Ludo’.
Thank you! I did not know setting daemon address over SSH was possible!
signature.asc
Description: This is a digitally signed message part
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: Secure GNU Guix offloading,
Léo Le Bouter <=