[Nix-dev] Proposal: Highly available security-specific trusted build infrastructure

[Shea Levy]

Hi all,

hydra.nixos.org is a wonderful community resource, but its broad scope
and somewhat frequent downtime concerns me when it comes to security
updates. As a supplemental service, I propose we have a service, hosted
by a professional hosting company with 24/7 support and with multiple
trusted community members having administrative access, dedicated to
building only critical security updates and uploading them to the binary
cache, with the intention that these be used with
system.replaceRuntimeDependencies/pkgs.replaceDependency until hydra has
had a chance to update the entire channel. This service could work via
manual triggering by trusted users, github push notifications and commit
message parsing (to get the relevant attributes to build), signed git
commits, or some combination of these, and would *only* build the
directly affected packages (e.g. only rebuild glibc for a glibc
vulnerability, expecting users to use replaceDependency until hydra is
caught up). If it turns out to be useful, it could spin up AWS build
machines on demand to ensure a very rapid turnaround.

Thoughts on this? I'm happy to help fund this significantly, but it
loses a lot of its value if it doesn't directly upload to the nixos.org
cache so I think it needs official support before following through.

Thanks,
Shea
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20161016/146b3b6f/attachment.sig>