The substitute authorization warning is displayed when it shouldn't be

  • Open
  • quality assurance status badge
Details
3 participants
  • Leo Famulari
  • Ludovic Courtès
  • Simon Tournier
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 6 Apr 18:49 +0200
(address . bug-guix@gnu.org)
ZhF9KvWEBpJ11r-D@jasmine.lan
I just saw this on Debian:

------
$ guix shell -D guix -- ./pre-inst-env guix weather linux-libre
computing 1 package derivations for x86_64-linux...
looking for 1 store items on https://ci.guix.gnu.org...
guix weather: warning: substitutes from 'https://ci.guix.gnu.org' are unauthorized
hint: To authorize all substitutes from `https://ci.guix.gnu.org' to be downloaded, the following command needs to be run as root:
[...]
------

But, I do have the given key in my '/etc/guix/acl', and this works:

------
guix shell -D guix -- ./pre-inst-env guix build linux-libre
substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0%
substitute: updating substitutes from 'https://bordeaux.guix.gnu.org'... 100.0%
114.0 MB will be downloaded:
/gnu/store/547y21y3w9nj29w9n73gp2arjxgmvvl6-linux-libre-6.8.2
substituting /gnu/store/547y21y3w9nj29w9n73gp2arjxgmvvl6-linux-libre-6.8.2...
[...]
------

So, the warning is mistaken.

For your reference:

------
guix shell -D guix -- ./pre-inst-env guix describe
Git checkout:
repository: /home/leo/work/guix/
branch: master
commit: 50a72a08af37557575199b56bbee9f334d58575a
------

Let me know if there is any other information I can provide.
L
L
Ludovic Courtès wrote on 25 May 11:31 +0200
(name . Leo Famulari)(address . leo@famulari.name)(address . 70243@debbugs.gnu.org)
87v8322q5v.fsf@gnu.org
Hi Leo,

Leo Famulari <leo@famulari.name> skribis:

Toggle quote (13 lines)
> I just saw this on Debian:
>
> ------
> $ guix shell -D guix -- ./pre-inst-env guix weather linux-libre
> computing 1 package derivations for x86_64-linux...
> looking for 1 store items on https://ci.guix.gnu.org...
> guix weather: warning: substitutes from 'https://ci.guix.gnu.org' are unauthorized
> hint: To authorize all substitutes from `https://ci.guix.gnu.org' to be downloaded, the following command needs to be run as root:
> [...]
> ------
>
> But, I do have the given key in my '/etc/guix/acl', and this works:

Are /etc/guix/acl and /etc/guix world-readable?

‘check-narinfo-authorization’ in (guix scripts weather) is supposed to
properly handle this case, but I think that fails if /etc/guix is not
accessible.

Thanks,
Ludo’.
S
S
Simon Tournier wrote on 5 Jun 19:06 +0200
(address . 70243@debbugs.gnu.org)
87r0dbmi9u.fsf@gmail.com
Hi,

On Sat, 25 May 2024 at 11:31, Ludovic Courtès <ludo@gnu.org> wrote:

Toggle quote (4 lines)
>> But, I do have the given key in my '/etc/guix/acl', and this works:
>
> Are /etc/guix/acl and /etc/guix world-readable?

I had been bitten by this recently. And I have not found any mention
about that in the manual. Maybe it could helpful to add:
Toggle diff (14 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 5e1173b8c6..3b97674733 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -3792,7 +3792,8 @@ Getting Substitutes from Other Servers
@end example
Again this assumes @file{key.pub} contains the public key that
-@code{guix.example.org} uses to sign substitutes.
+@code{guix.example.org} uses to sign substitutes. Make sure
+@file{/etc/guix/acl} is world-readable.
@end enumerate
Now you're all set! Substitutes will be preferably taken from
In addition, I had to be read a comment in source code to know what
another issue was: the daemon’s too old. Hence, I would suggest:
Toggle diff (13 lines)
diff --git a/guix/scripts/weather.scm b/guix/scripts/weather.scm
index 08a1b22a74..98a09f9e9a 100644
--- a/guix/scripts/weather.scm
+++ b/guix/scripts/weather.scm
@@ -643,7 +643,7 @@ (define-command (guix-weather . args)
;; substitute URLs, presumably because it's too
;; old.
(warning (G_ "using default \
-substitute URLs~%"))
+substitute URLs; maybe the daemon's too old~%"))
%default-substitute-urls)))
(systems (match (filter-map (match-lambda
(('system . system) system)
Both would ease the debugging session of substitute authorization, IMHO.

Cheers,
simon
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 70243@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 70243
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch