Document known vs. trusted users and their implicatinos

This commit is contained in:
Graham Christensen 2018-03-01 12:58:04 -05:00
parent d6787a0923
commit 71f63ef0fd
No known key found for this signature in database
GPG key ID: ACA1C1D120C83D5C
3 changed files with 27 additions and 5 deletions

View file

@ -9,9 +9,10 @@
## Automatic Building
Users who are _trusted_ (see: ./config.public.json) or _known_ (see:
./config.known-users.json) will have their PRs automatically trigger
builds if their commits follow the well-defined format of Nixpkgs.
Users who are _trusted_ or _known_ (see: Trusted Users vs Known Users)
will have their PRs automatically trigger builds if their commits
follow the well-defined format of Nixpkgs.
Example messages and the builds:
|Message|Automatic Build|
@ -104,6 +105,28 @@ This is will build `list`, `of`, `attrs`, `looks`, `good`, `to`, `me!`:
@grahamcofborg build list of attrs looks good to me!
```
## Trusted Users vs Known Users
Known users have their builds executed on platforms with working
sandboxing. At the time of writing, that means:
- `x86_64-linux`
- `aarch64_linux`
Trusted users have their builds executed on _all_ platforms, even if
they don't have good sandboxing. This opens the host up to a higher
risk of security issues, so only well known, trusted member of the
community should be added to the trusted user list.
At the time of writing, trusted users have their builds run on the
following platforms:
- `x86_64-linux`
- `aarch64_linux`
- `x86_64-darwin`
See ./config.public.json and ./config.known-users.json for a list of
all the trusted and known users.
# How does OfBorg call nix-build?

View file

@ -1,6 +1,5 @@
[
"bhipple",
"dotlambda",
"dywedir",
"unode"
]