From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Support for signed substitutes pushed Date: Sun, 30 Mar 2014 23:54:10 +0200 Message-ID: <87ha6fic8t.fsf@gnu.org> References: <878urwzhpt.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49641) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WUNgM-0001xa-HB for guix-devel@gnu.org; Sun, 30 Mar 2014 17:54:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WUNgH-0003C2-1J for guix-devel@gnu.org; Sun, 30 Mar 2014 17:54:22 -0400 Received: from hera.aquilenet.fr ([2a01:474::1]:53253) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WUNgG-0003Bn-Im for guix-devel@gnu.org; Sun, 30 Mar 2014 17:54:16 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 16E862123 for ; Sun, 30 Mar 2014 23:54:15 +0200 (CEST) Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id So2JIxlN8UXr for ; Sun, 30 Mar 2014 23:54:14 +0200 (CEST) Received: from pluto (reverse-83.fdn.fr [80.67.176.83]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 97D8518AC for ; Sun, 30 Mar 2014 23:54:14 +0200 (CEST) In-Reply-To: <878urwzhpt.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Thu, 27 Mar 2014 00:02:38 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable I just pushed support for signed substitutes (which is wip-signed-archives plus many tests, documentation, and some improvements) in =E2=80=98master=E2=80=99. From=20now on, =E2=80=98guix substitute-binary=E2=80=99 automatically authe= nticates substitutes, and ignores those not signed by an authorized public key. By default, no key is authorized. On my machine, =E2=80=98guix build emacs n=E2=80=99 with 40 substitutes nee= ded takes ~4.8 seconds instead of ~3.5 seconds before (wall clock.) There=E2=80=99s probably room for improvement, but there=E2=80=99s also the fact that it ha= s to check all these signatures. Please run =E2=80=98make check=E2=80=99, try it, and report any problems. = Note that commit bf59c06 adds the public key used to sign substitutes from hydra.gnu.org. This commit is GPG-signed by me, like this message. It=E2=80=99s a 4096-bit RSA key (RSA, not Curve25519, so that users of libgcrypt < 1.6 can use it too): (public-key=20 (rsa=20 (n #00DB1634E3D9DFAC97AE4734DAE968CCB15EE4815C82BDC254883DBB49FE1EF32268= E82D4BBE0E35298C481C9DA1551642FAFF05AEC1A60712F1BB4BE7D25D7EFF7A4F89704A5A9= AC232870CB9F2476C3B538A0E990A8825DEB73081D317001FB8A188600F2FEF5F5F570E857F= 3EE4355077A3C3918ED72723A56BA55C466D400658974D7DAD1F6B7B63C192B9C2704D98BBF= F1C3BD5B8EF11A8ADC83ACB8FD8E9F1E792FDAD262415D13F2DEE55F330908CFDA9C3C8C32B= 64F7DD088457D34F445E2E2C83C6D680549DC9B6E6573B89496567204ED285E67A279F2F667= 080BA941D80D015CE87B0FB6A91A99CECC7D91D2D210B00E4B6E611DA51DB008F1DFE3FCAC6= B27393FA781D45F9A15FC7B8785A3E86BA6592B2916CA22CF1E40FC85F85CACA590461154F5= 8F3580B16398908EF32076F411299C28727C94D88B6A618F84DD73AEBED8270BCB6690928CB= 1BF250C35E1F6BF3B1B30D05BA246ECE8F69D9065DE26F4B3E0D814D70A9C27CB5B7B050C90= 90590D3A9EF83374F2643E5446FBD39DDB124DBF6DFDAA6D18E2560AD0CBFA11C959C9B7316= BF19963A191967054E9FD97DC14D71082B30B1C90A46E8996682474C3BCB51BA0882958897B= 6DD35E41B5174D0A6BCDE97B89043E95BD1B70DE61DA666893B417196A180005466BC3A742F= DF04E89B04460E3E6BC72E7F1B5FEA5B3092FEE551A3C447C12E104E65#) (e #010001#) ) ) I would very much welcome review and feedback. The documentation (appended below) and tests provide a good starting point. Thanks again to Nikita for all the good work! Ludo=E2=80=99. 3.3 Substitutes =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Guix supports transparent source/binary deployment, which means that it can either build things locally, or download pre-built items from a server. We call these pre-built items "substitutes"=E2=80=94they are substitutes for local build results. In many cases, downloading a substitute is much faster than building things locally. Substitutes can be anything resulting from a derivation build (*note Derivations::). Of course, in the common case, they are pre-built package binaries, but source tarballs, for instance, which also result From=20derivation builds, can be available as substitutes. The =E2=80=98hydra.gnu.org=E2=80=99 server is a front-end to a build far= m that builds packages from the GNU distribution continuously for some architectures, and makes them available as substitutes. To allow Guix to download substitutes from =E2=80=98hydra.gnu.org=E2=80= =99, you must add its public key to the access control list (ACL) of archive imports, using the =E2=80=98guix archive=E2=80=99 command (*note Invoking guix archi= ve::). Doing so implies that you trust =E2=80=98hydra.gnu.org=E2=80=99 to not be comprom= ised and to serve genuine substitutes. This public key is installed along with Guix, in =E2=80=98PREFIX/share/guix/hydra.gnu.org.pub=E2=80=99, where PREFIX is the = installation prefix of Guix. If you installed Guix from source, make sure you checked the GPG signature of =E2=80=98guix-0.6.tar.gz=E2=80=99, which conta= ins this public key file. Then, you can run something like this: # guix archive --authorize < hydra.gnu.org.pub Once this is in place, the output of a command like =E2=80=98guix build= =E2=80=99 should change from something like: $ guix build emacs --dry-run The following derivations would be built: /gnu/store/yr7bnx8xwcayd6j95r2clmkdl1qh688w-emacs-24.3.drv /gnu/store/x8qsh1hlhgjx6cwsjyvybnfv2i37z23w-dbus-1.6.4.tar.gz.drv /gnu/store/1ixwp12fl950d15h2cj11c73733jay0z-alsa-lib-1.0.27.1.tar.b= z2.drv /gnu/store/nlma1pw0p603fpfiqy7kn4zm105r5dmw-util-linux-2.21.drv =E2=80=A6 to something like: $ guix build emacs --dry-run The following files would be downloaded: /gnu/store/pk3n22lbq6ydamyymqkkz7i69wiwjiwi-emacs-24.3 /gnu/store/2ygn4ncnhrpr61rssa6z0d9x22si0va3-libjpeg-8d /gnu/store/71yz6lgx4dazma9dwn2mcjxaah9w77jq-cairo-1.12.16 /gnu/store/7zdhgp0n1518lvfn8mb96sxqfmvqrl7v-libxrender-0.9.7 =E2=80=A6 This indicates that substitutes from =E2=80=98hydra.gnu.org=E2=80=99 are us= able and will be downloaded, when possible, for future builds. Guix ignores substitutes that are not signed, or that are not signed by one of the keys listed in the ACL. It also detects and raise an error when attempting to use a substitute that has been tampered with. The substitute mechanism can be disabled globally by running =E2=80=98guix-daemon=E2=80=99 with =E2=80=98--no-substitutes=E2=80=99 (*not= e Invoking guix-daemon::). It can also be disabled temporarily by passing the =E2=80=98--no-substitute= s=E2=80=99 option to =E2=80=98guix package=E2=80=99, =E2=80=98guix build=E2=80=99, and= other command-line tools. Today, each individual=E2=80=99s control over their own computing is at = the mercy of institutions, corporations, and groups with enough power and determination to subvert the computing infrastructure and exploit its weaknesses. While using =E2=80=98hydra.gnu.org=E2=80=99 substitutes can be= convenient, we encourage users to also build on their own, or even run their own build farm, such that =E2=80=98hydra.gnu.org=E2=80=99 is less of an interes= ting target. Guix has the foundations to maximize build reproducibility (*note Features::). In most cases, independent builds of a given package or derivation should yield bit-identical results. Thus, through a diverse set of independent package builds, we can strengthen the integrity of our systems. In the future, we want Guix to have support to publish and retrieve binaries to/from other users, in a peer-to-peer fashion. If you would like to discuss this project, join us on . --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlM4koUACgkQd92V4upS7PQyYwCbBwIw1JbdP6FM8aYX7B0R7FB2 at0An2V7+kdTZPya6SL37oFpYmhhxOlZ =Z1At -----END PGP SIGNATURE----- --=-=-=--