[rekado]

> Support for institutional installations: A central build daemon + farm is a pretty lame say to synchronize things. Should make it so anybody can build stuff, and anybody can share binaries with those that trust them, and shared NSF store or equivalent for de-dup.

At the research site where I work as a software person, we use a central guix-daemon managing a shared NFS store. Anyone can build stuff and manage their own software profiles from cluster nodes. Works very well for us and gets us a big step closer to reproducible science.

Sharing build artifacts also works with Guix. You can either export from and import items to the store or use "guix publish" to share items via HTTP.

[tgamblin]

How does this work security-wise? Can any user deploy on your clusters? AFAIK Guix requires root/chroot. This would never fly at our site...

[rekado]

The daemon runs as root (on one server that has write access to the shared store) to spawn build processes in chroots (work is underway to use user namespaces where possible). The builds themselves are performed as unprivileged build users. Users communicate with the daemon via RPCs.

Since every build is forced to its very own unique output directory (by prepending a hash of all the inputs), one user's build/installation does not affect other users.

[Ericson2314]

Last I checked with Nix, NFS and SQLite did not play well. Does Guix work around that?