bug#63972: specifying a substitute server without adding its PGP key silently ignores it

bug#63972: specifying a substitute server without adding its PGP key silently ignores it

[Attila Lendvai]

i've installed a new guix, and at the first `guix system reconfigure` i specified a substitute server using --substitute-urls for That Other Channel. i had to do this, because the config.scm that contains the substitute specification is yet to be applied.

it didn't work. it prints everything as usual, including the 100% message for that substitute server, but it starts to build packages locally for which substitutes are available. i haven't noticed any indication that there's a problem with any of the substitute servers.

once i've downloaded the .pub and i finally did the right incantation (sudo guix archive --authorize < signing-key.pub), then it started to download the substitutes as i expected.

i would much prefer a behavior where a "cryptyc" exception and backtrace is printed by a toplevel error handler. it has cost me about an hour of my life.

i'd suggest the following general strategy for the entire codebase in general:

throw exceptions, and let them fly all the way up to the toplevel error handler that should print it with a backtrace. this should be the baseline, and only then start adding very specific exception handlers to print friendly and localizable error messages for various situations, and only ever swallow exceptions when it's really justified. e.g. a file-not-found error in an ensure-file-deleted function.

-- 
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“Civilization is in a race between education and catastrophe. Let us learn the truth and spread it as far and wide as our circumstances allow. For the truth is the greatest weapon we have.”
	— H.G. Wells (1866–1946)

bug#63972: specifying a substitute server without adding its PGP key silently ignores it

[Ludovic Courtès]

Hi,

Attila Lendvai <attila@lendvai.name> skribis:

> i've installed a new guix, and at the first `guix system reconfigure` i specified a substitute server using --substitute-urls for That Other Channel. i had to do this, because the config.scm that contains the substitute specification is yet to be applied.
>
> it didn't work. it prints everything as usual, including the 100% message for that substitute server, but it starts to build packages locally for which substitutes are available. i haven't noticed any indication that there's a problem with any of the substitute servers.
>
> once i've downloaded the .pub and i finally did the right incantation (sudo guix archive --authorize < signing-key.pub), then it started to download the substitutes as i expected.
>
> i would much prefer a behavior where a "cryptyc" exception and backtrace is printed by a toplevel error handler. it has cost me about an hour of my life.

I agree we should print a message when stumbling upon unauthorized
substitutes (it’s not OpenPGP, BTW).

Note that it’s not completely trivial: you might download substitutes
not signed by one of the keys in the ACL if they happen to match
substitutes that *are* signed by one of the authorized keys.

Also, when discovery is enabled, it’s preferable to silently ignore
neighboring servers that the user did not explicitly specify via
‘--substitute-urls’.

Ludo’.