GNU bug report logs -
#54811
[PATCH 0/3] Support socket activation in 'guix publish' and 'guix-daemon'
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Sat, 9 Apr 2022 09:13:01 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
Maxime Devos <maximedevos <at> telenet.be> skribis:
> Ludovic Courtès schreef op ma 11-04-2022 om 11:48 [+0200]:
>> > * bonus: except possibly for the secret key material, "guix
>> > publish"
>> > does not have to be started as root anymore even if uses a
>> > reserved port such as port 80 (assuming socket activation is
>> > used).
>>
>> But it does need to access the secret key…
>
> The ‘guix publish’ could be run as a separate, say, guix-publish user,
> and the secret key could be made readable to guix-publish.
That doesn’t sound reasonable.
> Alternatively, the shepherd could open the secret key file on behalf of
> ‘guix publish’ and send it together with the listening socket to ‘guix
> publish’.
Sure, that’s feasible, but that’d require a custom protocol that I’d
rather avoid.
As things are now, ‘guix publish’ drops privileges as soon as it has
opened the signing key anyway.
Ludo’.
This bug report was last modified 3 years and 38 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.