diff --git a/README.md b/README.md index 78206c4..ec0ff37 100644 --- a/README.md +++ b/README.md @@ -9,9 +9,10 @@ ## Automatic Building -Users who are _trusted_ (see: ./config.public.json) or _known_ (see: -./config.known-users.json) will have their PRs automatically trigger -builds if their commits follow the well-defined format of Nixpkgs. +Users who are _trusted_ or _known_ (see: Trusted Users vs Known Users) +will have their PRs automatically trigger builds if their commits +follow the well-defined format of Nixpkgs. + Example messages and the builds: |Message|Automatic Build| @@ -104,6 +105,28 @@ This is will build `list`, `of`, `attrs`, `looks`, `good`, `to`, `me!`: @grahamcofborg build list of attrs looks good to me! ``` +## Trusted Users vs Known Users + +Known users have their builds executed on platforms with working +sandboxing. At the time of writing, that means: + + - `x86_64-linux` + - `aarch64_linux` + +Trusted users have their builds executed on _all_ platforms, even if +they don't have good sandboxing. This opens the host up to a higher +risk of security issues, so only well known, trusted member of the +community should be added to the trusted user list. + +At the time of writing, trusted users have their builds run on the +following platforms: + + - `x86_64-linux` + - `aarch64_linux` + - `x86_64-darwin` + +See ./config.public.json and ./config.known-users.json for a list of +all the trusted and known users. # How does OfBorg call nix-build? diff --git a/config.extra-known-users.json b/config.extra-known-users.json index 22a7dc7..9d015b2 100644 --- a/config.extra-known-users.json +++ b/config.extra-known-users.json @@ -1,6 +1,5 @@ [ "bhipple", - "dotlambda", "dywedir", "unode" ] diff --git a/config.public.json b/config.public.json index 724cb06..33509c7 100644 --- a/config.public.json +++ b/config.public.json @@ -23,7 +23,7 @@ "dtzwill", "edolstra", "ericson2314", - "flokli", + "flokli", "fpletz", "fridh", "garbas",