Hi Tobias, I understand your point of view.
On Fri, 22 Oct 2021 at 00:16, Tobias Geerinckx-Rice <m...@tobias.gr> wrote: > Trusting people not to be evil is not the same as having to trust > the opsec habits of every single one of them. Trust isn't > transitive. Personally, I don't think a rogue zimoun will > suddenly decide to abuse us. I think rogues will abuse zimoun the > very first chance they get. >From my understanding, here is the net of our “disagreement”. > That's not a matter of degree: it's a whole different threat > model, as is injecting arbitrary binaries vs. pushing malicious > code commits. Both are bad news, but there's an order of > magnitude difference between the two. And I miss the threat model about “injecting binaries” in the case of shared offload. Anyway. :-) Let move forward and discuss another solution than the usual offload. You pointed the idea «one might consider dropping SSH account-based access in favour of a minimal job submission API, and just return the results through guix publish or so…? OTOH, that's yet another code path.» Imagine another Cuirass instance where any committer could add [1] their own branch. It would act as this minimal job submission API. 1: <https://ci.guix.gnu.org/specification/add/> The questions are the authentication to this Cuirass instance and how Cuirass deals with rebased branch (which would happen). WDYT? Cheers, simon