[version 1.4.0rc1] install.sh script should authorize bordeaux

Done

Details

3 participants

Ludovic Courtès
Tobias Geerinckx-Rice
pelzflorian (Florian Pelz)

Owner: unassigned

Submitted by: pelzflorian (Florian Pelz)

Severity: normal

pelzflorian (Florian Pelz) wrote on 2 Dec 2022 18:43

Recipients:(address . bug-guix@gnu.org)

Message-ID:87bkolzoo5.fsf@pelzflorian.de

Could you make install.sh add bordeaux to /etc/guix/acl? It is

important especially on ARM.

Regards,

Florian

Tobias Geerinckx-Rice wrote on 2 Dec 2022 19:09

Recipients:(name . pelzflorian (Florian Pelz))(address . pelzflorian@pelzflorian.de)

Message-ID:87r0xhy8vj.fsf@nckx

pelzflorian (Florian Pelz) ???

Toggle quote (3 lines)

> Could you make install.sh add bordeaux to /etc/guix/acl? It is

> important especially on ARM.

If you mean guix-install.sh: I did so ages ago, but something

(valid) stopped me from pushing it.

Now I can't for the life of me remember what it was…

Kind regards,

T G-R

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCY4o/kA0cbWVAdG9iaWFz

LmdyAAoJEA2w/4hPVW154NEBAMIJpu2NKZg/Zg7nERnlz1ht2Cr3eTsoSBeJGmyZ

1wAXAQDfXl389VQMUcmcwuE6pl3zFnlXtA3UMFYkqz66rUtcCg==

=RNGF

-----END PGP SIGNATURE-----

pelzflorian (Florian Pelz) wrote on 2 Dec 2022 20:35

Recipients:(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)(address . 59781@debbugs.gnu.org)

Message-ID:871qph38gk.fsf@pelzflorian.de

Tobias Geerinckx-Rice <me@tobias.gr> writes:

Toggle quote (2 lines)

> If you mean guix-install.sh:

Yes I mean guix-install.sh. :)

Regards,

Florian

Ludovic Courtès wrote on 5 Dec 2022 15:54

Recipients:(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)

Message-ID:877cz5rjd0.fsf@gnu.org

Hi!

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

Toggle quote (9 lines)

> pelzflorian (Florian Pelz) ???

>> Could you make install.sh add bordeaux to /etc/guix/acl? It is

>> important especially on ARM.

> If you mean guix-install.sh: I did so ages ago, but something (valid)

> stopped me from pushing it.

> Now I can't for the life of me remember what it was…

I think that’s because the key for bordeaux.guix is missing from 1.3.0,

isn’t it?

Can we arrange so that the script authorizes the key if it’s present and

keeps going if not?

Ludo’.

Ludovic Courtès wrote on 6 Dec 2022 11:45

Recipients:(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)

Message-ID:87r0xclsiy.fsf@gnu.org

Ludovic Courtès <ludo@gnu.org> skribis:

Toggle quote (14 lines)> Tobias Geerinckx-Rice <me@tobias.gr> skribis:
>
>> pelzflorian (Florian Pelz) ???
>>> Could you make install.sh add bordeaux to /etc/guix/acl?  It is
>>> important especially on ARM.
>>
>> If you mean guix-install.sh: I did so ages ago, but something (valid)
>> stopped me from pushing it.
>>
>> Now I can't for the life of me remember what it was…
>
> I think that’s because the key for bordeaux.guix is missing from 1.3.0,
> isn’t it?

Yes, found it:

https://issues.guix.gnu.org/50892

Toggle quote (3 lines)

> Can we arrange so that the script authorizes the key if it’s present and

> keeps going if not?

Can you take a look Tobias? If not let me know and I’ll pick it up.

Thanks,

Ludo’.

Ludovic Courtès wrote on 8 Dec 2022 12:34

Re: bug#50892: [PATCH] guix-install.sh: Authorize all project build farms at once.

Recipients:(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)

Message-ID:87edtaf7sz.fsf_-_@gnu.org

Hi,

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

Toggle quote (7 lines)

> Tobias Geerinckx-Rice via Guix-patches via ???

>> + <

>> "~root/.config/guix/current/share/guix/$host.pub" \

> This file is missing for bordeaux in the 1.3.0 release, so this would

> have to wait until the next one…

If there are no objections I’d like to push to ‘master’ and

‘version-1.4.0’ this modified version of your patch.

Thanks,

Ludo’.

From f13e03d57ae9784a349bfa2eab0285e2c5b58eb7 Mon Sep 17 00:00:00 2001
From: Tobias Geerinckx-Rice <me@tobias.gr>
Date: Wed, 29 Sep 2021 17:43:10 +0200
Subject: [PATCH] guix-install.sh: Authorize all project build farms at once.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* etc/guix-install.sh (sys_authorize_build_farms):
Iterate over all hosts.

Co-authored-by: Ludovic Courtès <ludo@gnu.org>
---
 etc/guix-install.sh | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

Toggle diff (36 lines)diff --git a/etc/guix-install.sh b/etc/guix-install.sh
index 6bef21bb7e..fb9006b3e2 100755
--- a/etc/guix-install.sh
+++ b/etc/guix-install.sh
@@ -492,14 +492,22 @@ sys_enable_guix_daemon()
 }
 
 sys_authorize_build_farms()
-{ # authorize the public key of the build farm
+{ # authorize the public key(s) of the build farm(s)
+    local hosts=(
+	ci.guix.gnu.org
+	bordeaux.guix.gnu.org
+    )
+
     if prompt_yes_no "Permit downloading pre-built package binaries from the \
-project's build farm?"; then
-        guix archive --authorize \
-             < ~root/.config/guix/current/share/guix/ci.guix.gnu.org.pub \
-            && _msg "${PAS}Authorized public key for ci.guix.gnu.org"
-        else
-            _msg "${INF}Skipped authorizing build farm public keys"
+project's build farms?"; then
+	for host in "${hosts[@]}"; do
+	    local key=~root/.config/guix/current/share/guix/$host.pub
+	    [ -f "$key" ] \
+		&& guix archive --authorize < "$key" \
+		&& _msg "${PAS}Authorized public key for $host"
+	done
+    else
+        _msg "${INF}Skipped authorizing build farm public keys"
     fi
 }
 
-- 
2.38.1

pelzflorian (Florian Pelz) wrote on 8 Dec 2022 22:27

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)

Message-ID:87359pmvrf.fsf@pelzflorian.de

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (3 lines)

> If there are no objections I’d like to push to ‘master’ and

> ‘version-1.4.0’ this modified version of your patch.

Thank you two, this patch works (on 1.3.0 only ci.guix.gnu.org, on

1.4.0rc1 also bordeaux, except when I decline authorization).

Regards,

Florian

Tobias Geerinckx-Rice wrote on 8 Dec 2022 22:42

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)

Message-ID:87ililzhx8.fsf@nckx

Ludovic Courtès ???

Toggle quote (3 lines)

> If there are no objections I’d like to push to ‘master’ and

> ‘version-1.4.0’ this modified version of your patch.

No objections, thanks!

(Ugh, this patch is so ugly, all to work around that triplication

in ~/.config/guix/current/share/guix/*.pub… Would it be OK for

‘guix archive --authorize’ to silently ignore duplicate keys?)

Kind regards,

T G-R

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCY5Jbgw0cbWVAdG9iaWFz

LmdyAAoJEA2w/4hPVW15qq0BAPuEaVab9jBVCCRILsRar48RcdT01EUyN0Rf9Qrz

ILCDAP9JcNYNsx7DVf7NFUP/gyBV4M+jfGfyx6e9KT4FPGsTAw==

=YW1a

-----END PGP SIGNATURE-----

Ludovic Courtès wrote on 9 Dec 2022 10:01

Re: bug#59781: [version 1.4.0rc1] install.sh script should authorize bordeaux

Recipients:(name . pelzflorian (Florian Pelz))(address . pelzflorian@pelzflorian.de)

Message-ID:877cz1ar2r.fsf_-_@gnu.org

Hi,

"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:

Toggle quote (7 lines)

> Ludovic Courtès <ludo@gnu.org> writes:

>> If there are no objections I’d like to push to ‘master’ and

>> ‘version-1.4.0’ this modified version of your patch.

> Thank you two, this patch works (on 1.3.0 only ci.guix.gnu.org, on

> 1.4.0rc1 also bordeaux, except when I decline authorization).

Pushed to both branches. Thanks to the two of you!

Ludo’.

Closed

Ludovic Courtès wrote on 9 Dec 2022 10:09

Recipients:(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)

Message-ID:87359paqop.fsf_-_@gnu.org

Hi,

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

Toggle quote (4 lines)

> (Ugh, this patch is so ugly, all to work around that triplication in

> ~/.config/guix/current/share/guix/*.pub… Would it be OK for ‘guix

> archive --authorize’ to silently ignore duplicate keys?)

Oh, good point. I guess we could change ‘public-keys->acl’ to

deduplicate entries. Maybe something along these lines:

Toggle diff (32 lines)diff --git a/guix/pki.scm b/guix/pki.scm
index 6326e065e9..c5b2fb9634 100644
--- a/guix/pki.scm
+++ b/guix/pki.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2016, 2022 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -21,6 +21,7 @@ (define-module (guix pki)
   #:use-module (gcrypt pk-crypto)
   #:use-module ((guix utils) #:select (with-atomic-file-output))
   #:use-module ((guix build utils) #:select (mkdir-p))
+  #:autoload   (srfi srfi-1) (delete-duplicates)
   #:use-module (ice-9 match)
   #:use-module (ice-9 rdelim)
   #:use-module (ice-9 binary-ports)
@@ -61,9 +62,10 @@ (define (public-keys->acl keys)
   ;; want to have name certificates and to use subject names instead of
   ;; complete keys.
   `(acl ,@(map (lambda (key)
-                 `(entry ,(canonical-sexp->sexp key)
+                 `(entry ,key
                          (tag (guix import))))
-               keys)))
+               (delete-duplicates
+                (map canonical-sexp->sexp keys)))))
 
 (define %acl-file
   (string-append %config-directory "/acl"))

WDYT?

Ludo’.

Your comment

This issue is archived.

To comment on this conversation send an email to 59781@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date