From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id kCmXJ5MRGWC6egAA0tVLHw (envelope-from ) for ; Tue, 02 Feb 2021 08:47:15 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id CHh1I5MRGWB5DQAA1q6Kng (envelope-from ) for ; Tue, 02 Feb 2021 08:47:15 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0B7919404E4 for ; Tue, 2 Feb 2021 08:47:14 +0000 (UTC) Received: from localhost ([::1]:46778 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l6rL7-0005lS-DI for larch@yhetil.org; Tue, 02 Feb 2021 03:47:13 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:58262) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l6rKw-0005lB-Gq for bug-guix@gnu.org; Tue, 02 Feb 2021 03:47:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:50690) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1l6rKw-0007nc-6C for bug-guix@gnu.org; Tue, 02 Feb 2021 03:47:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1l6rKw-0007jN-4E for bug-guix@gnu.org; Tue, 02 Feb 2021 03:47:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#45895: Channel authentication should start at the current commit(s) Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 02 Feb 2021 08:47:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45895 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 45895@debbugs.gnu.org Received: via spool by 45895-submit@debbugs.gnu.org id=B45895.161225561429701 (code B ref 45895); Tue, 02 Feb 2021 08:47:02 +0000 Received: (at 45895) by debbugs.gnu.org; 2 Feb 2021 08:46:54 +0000 Received: from localhost ([127.0.0.1]:34003 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l6rKm-0007iv-UV for submit@debbugs.gnu.org; Tue, 02 Feb 2021 03:46:54 -0500 Received: from eggs.gnu.org ([209.51.188.92]:40338) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l6rKh-0007ie-UR for 45895@debbugs.gnu.org; Tue, 02 Feb 2021 03:46:51 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:42065) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l6rKc-0007fk-NH for 45895@debbugs.gnu.org; Tue, 02 Feb 2021 03:46:42 -0500 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=54006 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1l6rKb-0000kN-GG for 45895@debbugs.gnu.org; Tue, 02 Feb 2021 03:46:42 -0500 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87czy6xffy.fsf@inria.fr> Date: Tue, 02 Feb 2021 09:46:39 +0100 In-Reply-To: <87czy6xffy.fsf@inria.fr> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Fri, 15 Jan 2021 18:44:49 +0100") Message-ID: <87wnvqg8ls.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -2.86 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 0B7919404E4 X-Spam-Score: -2.86 X-Migadu-Scanner: scn0.migadu.com X-TUID: M++EWXSzOhiT --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi, Ludovic Court=C3=A8s skribis: > Currently, the first =E2=80=98guix pull=E2=80=99 (when ~/.cache/guix is e= mpty) > authenticates starting from the introductory commit. For the =E2=80=98gu= ix=E2=80=99 > channel, that=E2=80=99s 11K commits today, which takes about a minute to = process > on modern hardware. > > Authentication should instead consider the current commits, as returned > by =E2=80=98guix describe=E2=80=99, authenticated, and start from there. The attached patch does that. Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=0001-channels-Consider-the-current-channel-commit-as-auth.patch Content-Transfer-Encoding: quoted-printable Content-Description: the patch >From 9bbce577036f2018d605d111042b0a7fc1be266b Mon Sep 17 00:00:00 2001 From: =3D?UTF-8?q?Ludovic=3D20Court=3DC3=3DA8s?=3D Date: Tue, 2 Feb 2021 09:37:33 +0100 Subject: [PATCH] channels: Consider the current channel commit as authentic. Fixes . When the ~/.cache/guix/authentication is empty, this change allows authentication to start at the current commit, as shown by 'guix describe', instead of starting from the introductory commit, which would take more and more time (there's currently 18K commits per year). * guix/git-authenticate.scm (authenticate-repository): Add #:authentic-comm= its. [authenticated-commits]: Append it. * guix/channels.scm (authenticate-channel)[authentic-commits]: New variable. Pass it to 'authenticate-repository'. --- guix/channels.scm | 14 ++++++++++++++ guix/git-authenticate.scm | 9 ++++++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/guix/channels.scm b/guix/channels.scm index 3cc3b4c438..05226e766b 100644 --- a/guix/channels.scm +++ b/guix/channels.scm @@ -47,6 +47,7 @@ #:use-module (srfi srfi-26) #:use-module (srfi srfi-34) #:use-module (srfi srfi-35) + #:autoload (guix describe) (current-channels) ;XXX: circular dep #:autoload (guix self) (whole-package make-config.scm) #:autoload (guix inferior) (gexp->derivation-in-inferior) ;FIXME: circ= ular dep #:autoload (guix quirks) (%quirks %patches applicable-patch? apply-pat= ch) @@ -344,6 +345,18 @@ commits)...~%") =20 (progress-reporter/bar (length commits))) =20 + (define authentic-commits + ;; Consider the currently-used commit of CHANNEL as authentic so + ;; authentication can skip it and all its closure. + (match (find (lambda (candidate) + (eq? (channel-name candidate) (channel-name channel))) + (current-channels)) + (#f '()) + (channel + (if (channel-commit channel) + (list (channel-commit channel)) + '())))) + ;; XXX: Too bad we need to re-open CHECKOUT. (with-repository checkout repository (authenticate-repository repository @@ -354,6 +367,7 @@ commits)...~%") #:keyring-reference (string-append keyring-reference-prefix keyring-reference) + #:authentic-commits authentic-commits #:make-reporter make-reporter #:cache-key cache-key))) =20 diff --git a/guix/git-authenticate.scm b/guix/git-authenticate.scm index 4ab5419bd6..ab3fcd8b2f 100644 --- a/guix/git-authenticate.scm +++ b/guix/git-authenticate.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright =C2=A9 2019, 2020 Ludovic Court=C3=A8s +;;; Copyright =C2=A9 2019, 2020, 2021 Ludovic Court=C3=A8s ;;; ;;; This file is part of GNU Guix. ;;; @@ -376,12 +376,14 @@ instead of '~a'") (cache-key (repository-cache-key reposit= ory)) (end (reference-target (repository-head repository))) + (authentic-commits '()) (historical-authorizations '()) (make-reporter (const progress-reporter/silent))) "Authenticate REPOSITORY up to commit END, an OID. Authentication starts with commit START, an OID, which must be signed by SIGNER; an exception is -raised if that is not the case. Return an alist mapping OpenPGP public ke= ys +raised if that is not the case. Commits listed in AUTHENTIC-COMMITS and t= heir +closure are considered authentic. Return an alist mapping OpenPGP public = keys to the number of commits signed by that key that have been traversed. =20 The OpenPGP keyring is loaded from KEYRING-REFERENCE in REPOSITORY, where @@ -404,7 +406,8 @@ denoting the authorized keys for commits whose parent l= ack the (filter-map (lambda (id) (false-if-git-not-found (commit-lookup repository (string->oid id)))) - (previously-authenticated-commits cache-key))) + (append (previously-authenticated-commits cache-key) + authentic-commits))) =20 (define commits ;; Commits to authenticate, excluding the closure of --=20 2.30.0 --=-=-=--