[PATCH] guix-install.sh: Authorize all project build farms at once.

  • Done
  • quality assurance status badge
Details
4 participants
  • Ludovic Courtès
  • Maxim Cournoyer
  • Tobias Geerinckx-Rice
  • pelzflorian (Florian Pelz)
Owner
unassigned
Submitted by
Tobias Geerinckx-Rice
Severity
normal

Debbugs page

Tobias Geerinckx-Rice wrote 3 years ago
(address . guix-patches@gnu.org)
20210929154310.25788-1-me@tobias.gr
* etc/guix-install.sh (sys_authorize_build_farms):
Iterate over all hosts.
---
etc/guix-install.sh | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)

Toggle diff (82 lines)
diff --git a/etc/guix-install.sh b/etc/guix-install.sh
index b0d4a8b95e..e3b8485a50 100755
--- a/etc/guix-install.sh
+++ b/etc/guix-install.sh
@@ -1,21 +1,21 @@
#!/bin/sh
# GNU Guix --- Functional package management for GNU
# Copyright © 2017 sharlatan <sharlatanus@gmail.com>
# Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
# Copyright © 2018 Efraim Flashner <efraim@flashner.co.il>
-# Copyright © 2019, 2020 Tobias Geerinckx-Rice <me@tobias.gr>
+# Copyright © 2019–2021 Tobias Geerinckx-Rice <me@tobias.gr>
# Copyright © 2020 Morgan Smith <Morgan.J.Smith@outlook.com>
# Copyright © 2020 Simon Tournier <zimon.toutoune@gmail.com>
# Copyright © 2020 Daniel Brooks <db48x@db48x.net>
# Copyright © 2021 Jakub Kądziołka <kuba@kadziolka.net>
# Copyright © 2021 Chris Marusich <cmmarusich@gmail.com>
# Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
#
# This file is part of GNU Guix.
#
# GNU Guix is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# GNU Guix is distributed in the hope that it will be useful, but
@@ -476,38 +476,45 @@ sys_enable_guix_daemon()
;;
esac
_msg "${INF}making the guix command available to other users"
[ -e "$local_bin" ] || mkdir -p "$local_bin"
ln -sf "${var_guix}/bin/guix" "$local_bin"
[ -e "$info_path" ] || mkdir -p "$info_path"
for i in "${var_guix}"/share/info/*; do
ln -sf "$i" "$info_path"
done
}
sys_authorize_build_farms()
-{ # authorize the public key of the build farm
+{ # authorize the public key(s) of the build farm(s)
+ local hosts=(
+ ci.guix.gnu.org
+ bordeaux.guix.gnu.org
+ )
+
if prompt_yes_no "Permit downloading pre-built package binaries from the \
-project's build farm? (yes/no)"; then
- guix archive --authorize \
- < "~root/.config/guix/current/share/guix/ci.guix.gnu.org.pub" \
- && _msg "${PAS}Authorized public key for ci.guix.gnu.org"
- else
- _msg "${INF}Skipped authorizing build farm public keys"
+project's build farms? (yes/no)"; then
+ for host in "${hosts[@]}"; do
+ guix archive --authorize \
+ < "~root/.config/guix/current/share/guix/$host.pub" \
+ && _msg "${PAS}Authorized public key for $host"
+ done
+ else
+ _msg "${INF}Skipped authorizing build farm public keys"
fi
}
sys_create_init_profile()
{ # Define for better desktop integration
# This will not take effect until the next shell or desktop session!
[ -d "/etc/profile.d" ] || mkdir /etc/profile.d # Just in case
cat <<"EOF" > /etc/profile.d/guix.sh
# _GUIX_PROFILE: `guix pull` profile
_GUIX_PROFILE="$HOME/.config/guix/current"
export PATH="$_GUIX_PROFILE/bin${PATH:+:}$PATH"
# Export INFOPATH so that the updated info pages can be found
# and read by both /usr/bin/info and/or $GUIX_PROFILE/bin/info
# When INFOPATH is unset, add a trailing colon so that Emacs
# searches 'Info-default-directory-list'.
--
2.33.0
Tobias Geerinckx-Rice wrote 3 years ago
87tui31g2y.fsf@nckx
Tobias Geerinckx-Rice via Guix-patches via 写道:
Toggle quote (3 lines)
> + <
> "~root/.config/guix/current/share/guix/$host.pub" \

This file is missing for bordeaux in the 1.3.0 release, so this
would have to wait until the next one…

Kind regards,

T G-R
-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYVSZVQ0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW157tIA/0NxtSi4/HOdtPht4P1YlTT4Op2MNXxktdEnqIh5
Px2tAP9VpcX2WZLsrqN6g7CdCL9beI10dRgzWW3FpDqkI/RaAQ==
=ppGb
-----END PGP SIGNATURE-----

Maxim Cournoyer wrote 3 years ago
Re: bug#50892: [PATCH] guix-install.sh: Authorize all project build farms at once.
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)(address . 50892@debbugs.gnu.org)
87r1d71g1w.fsf@gmail.com
Tobias Geerinckx-Rice <me@tobias.gr> writes:

Toggle quote (87 lines)
> * etc/guix-install.sh (sys_authorize_build_farms):
> Iterate over all hosts.
> ---
> etc/guix-install.sh | 23 +++++++++++++++--------
> 1 file changed, 15 insertions(+), 8 deletions(-)
>
> diff --git a/etc/guix-install.sh b/etc/guix-install.sh
> index b0d4a8b95e..e3b8485a50 100755
> --- a/etc/guix-install.sh
> +++ b/etc/guix-install.sh
> @@ -1,21 +1,21 @@
> #!/bin/sh
> # GNU Guix --- Functional package management for GNU
> # Copyright © 2017 sharlatan <sharlatanus@gmail.com>
> # Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
> # Copyright © 2018 Efraim Flashner <efraim@flashner.co.il>
> -# Copyright © 2019, 2020 Tobias Geerinckx-Rice <me@tobias.gr>
> +# Copyright © 2019–2021 Tobias Geerinckx-Rice <me@tobias.gr>
> # Copyright © 2020 Morgan Smith <Morgan.J.Smith@outlook.com>
> # Copyright © 2020 Simon Tournier <zimon.toutoune@gmail.com>
> # Copyright © 2020 Daniel Brooks <db48x@db48x.net>
> # Copyright © 2021 Jakub Kądziołka <kuba@kadziolka.net>
> # Copyright © 2021 Chris Marusich <cmmarusich@gmail.com>
> # Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
> #
> # This file is part of GNU Guix.
> #
> # GNU Guix is free software; you can redistribute it and/or modify it
> # under the terms of the GNU General Public License as published by
> # the Free Software Foundation; either version 3 of the License, or (at
> # your option) any later version.
> #
> # GNU Guix is distributed in the hope that it will be useful, but
> @@ -476,38 +476,45 @@ sys_enable_guix_daemon()
> ;;
> esac
>
> _msg "${INF}making the guix command available to other users"
>
> [ -e "$local_bin" ] || mkdir -p "$local_bin"
> ln -sf "${var_guix}/bin/guix" "$local_bin"
>
> [ -e "$info_path" ] || mkdir -p "$info_path"
> for i in "${var_guix}"/share/info/*; do
> ln -sf "$i" "$info_path"
> done
> }
>
> sys_authorize_build_farms()
> -{ # authorize the public key of the build farm
> +{ # authorize the public key(s) of the build farm(s)
> + local hosts=(
> + ci.guix.gnu.org
> + bordeaux.guix.gnu.org
> + )
> +
> if prompt_yes_no "Permit downloading pre-built package binaries from the \
> -project's build farm? (yes/no)"; then
> - guix archive --authorize \
> - < "~root/.config/guix/current/share/guix/ci.guix.gnu.org.pub" \
> - && _msg "${PAS}Authorized public key for ci.guix.gnu.org"
> - else
> - _msg "${INF}Skipped authorizing build farm public keys"
> +project's build farms? (yes/no)"; then
> + for host in "${hosts[@]}"; do
> + guix archive --authorize \
> + < "~root/.config/guix/current/share/guix/$host.pub" \
> + && _msg "${PAS}Authorized public key for $host"
> + done
> + else
> + _msg "${INF}Skipped authorizing build farm public keys"
> fi
> }
>
> sys_create_init_profile()
> { # Define for better desktop integration
> # This will not take effect until the next shell or desktop session!
> [ -d "/etc/profile.d" ] || mkdir /etc/profile.d # Just in case
> cat <<"EOF" > /etc/profile.d/guix.sh
> # _GUIX_PROFILE: `guix pull` profile
> _GUIX_PROFILE="$HOME/.config/guix/current"
> export PATH="$_GUIX_PROFILE/bin${PATH:+:}$PATH"
> # Export INFOPATH so that the updated info pages can be found
> # and read by both /usr/bin/info and/or $GUIX_PROFILE/bin/info
> # When INFOPATH is unset, add a trailing colon so that Emacs
> # searches 'Info-default-directory-list'.

Tested on a VM:

./guix-install.sh: line 500: ~root/.config/guix/current/share/guix/bordeaux.guix.gnu.org.pub: No such file or directory
root@ubuntu:~# echo $?
1

I think we should fetch the keys from our online repo, so we can ensure

1. they are available
2. they are up to date.

Thanks!

Maxim
Ludovic Courtès wrote 2 years ago
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)
87edtaf7sz.fsf_-_@gnu.org
Hi,

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

Toggle quote (7 lines)
> Tobias Geerinckx-Rice via Guix-patches via 写道:
>> + <
>> "~root/.config/guix/current/share/guix/$host.pub" \
>
> This file is missing for bordeaux in the 1.3.0 release, so this would
> have to wait until the next one…

If there are no objections I’d like to push to ‘master’ and
‘version-1.4.0’ this modified version of your patch.

Thanks,
Ludo’.
From f13e03d57ae9784a349bfa2eab0285e2c5b58eb7 Mon Sep 17 00:00:00 2001
From: Tobias Geerinckx-Rice <me@tobias.gr>
Date: Wed, 29 Sep 2021 17:43:10 +0200
Subject: [PATCH] guix-install.sh: Authorize all project build farms at once.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* etc/guix-install.sh (sys_authorize_build_farms):
Iterate over all hosts.

Co-authored-by: Ludovic Courtès <ludo@gnu.org>
---
etc/guix-install.sh | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)

Toggle diff (36 lines)
diff --git a/etc/guix-install.sh b/etc/guix-install.sh
index 6bef21bb7e..fb9006b3e2 100755
--- a/etc/guix-install.sh
+++ b/etc/guix-install.sh
@@ -492,14 +492,22 @@ sys_enable_guix_daemon()
}
sys_authorize_build_farms()
-{ # authorize the public key of the build farm
+{ # authorize the public key(s) of the build farm(s)
+ local hosts=(
+ ci.guix.gnu.org
+ bordeaux.guix.gnu.org
+ )
+
if prompt_yes_no "Permit downloading pre-built package binaries from the \
-project's build farm?"; then
- guix archive --authorize \
- < ~root/.config/guix/current/share/guix/ci.guix.gnu.org.pub \
- && _msg "${PAS}Authorized public key for ci.guix.gnu.org"
- else
- _msg "${INF}Skipped authorizing build farm public keys"
+project's build farms?"; then
+ for host in "${hosts[@]}"; do
+ local key=~root/.config/guix/current/share/guix/$host.pub
+ [ -f "$key" ] \
+ && guix archive --authorize < "$key" \
+ && _msg "${PAS}Authorized public key for $host"
+ done
+ else
+ _msg "${INF}Skipped authorizing build farm public keys"
fi
}
--
2.38.1
pelzflorian (Florian Pelz) wrote 2 years ago
(name . Ludovic Courtès)(address . ludo@gnu.org)
87359pmvrf.fsf@pelzflorian.de
Ludovic Courtès <ludo@gnu.org> writes:
Toggle quote (3 lines)
> If there are no objections I’d like to push to ‘master’ and
> ‘version-1.4.0’ this modified version of your patch.

Thank you two, this patch works (on 1.3.0 only ci.guix.gnu.org, on
1.4.0rc1 also bordeaux, except when I decline authorization).

Regards,
Florian
Tobias Geerinckx-Rice wrote 2 years ago
(name . Ludovic Courtès)(address . ludo@gnu.org)
87ililzhx8.fsf@nckx
Ludovic Courtès 写道:
Toggle quote (3 lines)
> If there are no objections I’d like to push to ‘master’ and
> ‘version-1.4.0’ this modified version of your patch.

No objections, thanks!

(Ugh, this patch is so ugly, all to work around that triplication
in ~/.config/guix/current/share/guix/*.pub… Would it be OK for
‘guix archive --authorize’ to silently ignore duplicate keys?)

Kind regards,

T G-R
-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCY5Jbgw0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15qq0BAPuEaVab9jBVCCRILsRar48RcdT01EUyN0Rf9Qrz
ILCDAP9JcNYNsx7DVf7NFUP/gyBV4M+jfGfyx6e9KT4FPGsTAw==
=YW1a
-----END PGP SIGNATURE-----

Ludovic Courtès wrote 2 years ago
Re: bug#59781: [version 1.4.0rc1] install.sh script should authorize bordeaux
(name . pelzflorian (Florian Pelz))(address . pelzflorian@pelzflorian.de)
877cz1ar2r.fsf_-_@gnu.org
Hi,

"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:

Toggle quote (7 lines)
> Ludovic Courtès <ludo@gnu.org> writes:
>> If there are no objections I’d like to push to ‘master’ and
>> ‘version-1.4.0’ this modified version of your patch.
>
> Thank you two, this patch works (on 1.3.0 only ci.guix.gnu.org, on
> 1.4.0rc1 also bordeaux, except when I decline authorization).

Pushed to both branches. Thanks to the two of you!

Ludo’.
Closed
Ludovic Courtès wrote 2 years ago
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)
87359paqop.fsf_-_@gnu.org
Hi,

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

Toggle quote (4 lines)
> (Ugh, this patch is so ugly, all to work around that triplication in
> ~/.config/guix/current/share/guix/*.pub… Would it be OK for ‘guix
> archive --authorize’ to silently ignore duplicate keys?)

Oh, good point. I guess we could change ‘public-keys->acl’ to
deduplicate entries. Maybe something along these lines:
Toggle diff (32 lines)
diff --git a/guix/pki.scm b/guix/pki.scm
index 6326e065e9..c5b2fb9634 100644
--- a/guix/pki.scm
+++ b/guix/pki.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2016, 2022 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -21,6 +21,7 @@ (define-module (guix pki)
#:use-module (gcrypt pk-crypto)
#:use-module ((guix utils) #:select (with-atomic-file-output))
#:use-module ((guix build utils) #:select (mkdir-p))
+ #:autoload (srfi srfi-1) (delete-duplicates)
#:use-module (ice-9 match)
#:use-module (ice-9 rdelim)
#:use-module (ice-9 binary-ports)
@@ -61,9 +62,10 @@ (define (public-keys->acl keys)
;; want to have name certificates and to use subject names instead of
;; complete keys.
`(acl ,@(map (lambda (key)
- `(entry ,(canonical-sexp->sexp key)
+ `(entry ,key
(tag (guix import))))
- keys)))
+ (delete-duplicates
+ (map canonical-sexp->sexp keys)))))
(define %acl-file
(string-append %config-directory "/acl"))
WDYT?
Ludo’.
?
Your comment

This issue is archived.

To comment on this conversation send an email to 50892@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 50892
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch
You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags
mumi command -t +confirmed -t +easy
Or, remove the moreinfo tag and set the help tag
mumi command -t -moreinfo -t +help