[Nix-dev] Proposal: Highly available security-specific trusted build infrastructure
Shea Levy
shea at shealevy.com
Sun Oct 16 19:32:25 CEST 2016
I think an automated system would be nicer, but yes this would resolve
the majority of my concern here.
Kevin Cox <kevincox at kevincox.ca> writes:
> [ Unknown signature status ]
> On 16/10/16 18:24, Shea Levy wrote:
>> The existing infrastructure will always have more load and be more
>> complex than what is needed for security updates. hydra is a fully
>> general CI system, and properly so, but it means the system is subject
>> to bugs and constraints that a simpler more focused system can avoid.
>>
>> Moreover, for better or for worse hydra.nixos.org is only manageable by
>> a small set of people who are not always available to service it (nor
>> should they have to be!). No amount of improving hydra will fix that.
>>
>
> I see your point. But for a emergency rebuild system for security fixes
> wouldn't it just make sense to have a couple of people with S3
> credentials? Most packages can be built on a mildly powerful machine in
> an hour. In the rare case that the package would take longer it probably
> wouldn't be improved by a cluster as it will be a serial dependency chain.
>
> So if we really want to reduce dependencies how about a couple of people
> trusted to push these updated packages?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20161016/02acc1d0/attachment.sig>
More information about the nix-dev
mailing list