[Nix-dev] Proposal: Highly available security-specific trusted build infrastructure
Kevin Cox
kevincox at kevincox.ca
Sun Oct 16 19:28:52 CEST 2016
On 16/10/16 18:24, Shea Levy wrote:
> The existing infrastructure will always have more load and be more
> complex than what is needed for security updates. hydra is a fully
> general CI system, and properly so, but it means the system is subject
> to bugs and constraints that a simpler more focused system can avoid.
>
> Moreover, for better or for worse hydra.nixos.org is only manageable by
> a small set of people who are not always available to service it (nor
> should they have to be!). No amount of improving hydra will fix that.
>
I see your point. But for a emergency rebuild system for security fixes
wouldn't it just make sense to have a couple of people with S3
credentials? Most packages can be built on a mildly powerful machine in
an hour. In the rare case that the package would take longer it probably
wouldn't be improved by a cluster as it will be a serial dependency chain.
So if we really want to reduce dependencies how about a couple of people
trusted to push these updated packages?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20161016/b884aaa5/attachment.sig>
More information about the nix-dev
mailing list