From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: [PATCH 2/2] scripts: Add 'publish' command.
Date: Fri, 27 Mar 2015 23:41:06 +0100
Message-ID: <87pp7u6p31.fsf@gnu.org>
References: <87egon1xkg.fsf@fsf.org> <878uev1xcz.fsf@fsf.org>
	<87k2yeha77.fsf@gnu.org> <87wq22gyxb.fsf@fsf.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:46876)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1YbcwE-0005lI-Fe
	for guix-devel@gnu.org; Fri, 27 Mar 2015 18:41:15 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1YbcwB-000567-3M
	for guix-devel@gnu.org; Fri, 27 Mar 2015 18:41:14 -0400
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:43796)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
	id 1YbcwB-000563-0s
	for guix-devel@gnu.org; Fri, 27 Mar 2015 18:41:11 -0400
In-Reply-To: <87wq22gyxb.fsf@fsf.org> (David Thompson's message of "Fri, 27
	Mar 2015 12:58:24 -0400")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: David Thompson <dthompson2@worcester.edu>
Cc: guix-devel@gnu.org

David Thompson <dthompson2@worcester.edu> skribis:

> From a40d47dc64571aade0c92b4bdf3c56f6870842cc Mon Sep 17 00:00:00 2001
> From: David Thompson <dthompson2@worcester.edu>
> Date: Tue, 17 Mar 2015 10:21:31 -0400
> Subject: [PATCH 2/2] scripts: Add 'publish' command.
>
> * guix/scripts/publish.scm: New file.
> * po/guix/POTFILES.in: Add it.
> * tests/publish.scm: New file.
> * Makefile.am (MODULES): Add script module.
>   (SCM_TESTS): Add test module.
> * doc/guix.texi ("Invoking guix publish"): New node.

[...]

> +@node Invoking guix publish
> +@section Invoking @command{guix publish}
> +
> +The purpose of @command{guix publish} is to enable users to easily share
> +their store with others.  When @command{guix publish} runs, it spawns an
> +HTTP server which allows anyone with network access to obtain
> +substitutes from it.  This means that any machine running Guix can also
> +act as if it were a build farm, since the HTTP interface is
> +Hydra-compatible.  For security, each substitute is signed with the
> +system's signing key (@pxref{Invoking guix archive}).

I would skip a line after =E2=80=9CHydra-compatible,=E2=80=9D and make it l=
ike:

  For security, each substitute is signed, allowing recipients to check
  their authenticity and integrity (@pxref{Substitutes}).  Because
  @command{guix publish} uses the system's signing key, which is only
  readable by the system administrator, it must run as root.

> +@command{guix publish} is a tool for system administrators, so only the
> +root user may invoke it.

... so this sentence can be removed.

Note for later: it should drop privileges once the key has been read and
the port open.

> +Once a publishing server has been authorized (@pxref{Invoking guix archi=
ve}),
> +the Guix daemon may use it to download substitutes:

=E2=80=9Cthe daemon may download substitutes from it:=E2=80=9D

> +(define (read-file-sexp file)
> +  (call-with-input-file file
> +    (compose string->canonical-sexp
> +             get-string-all)))
> +
> +(define %private-key
> +  (read-file-sexp %private-key-file))
> +
> +(define %public-key
> +  (read-file-sexp %public-key-file))

Since this can throw, it should not be done at the top-level.  So it
should be wrapped it in =E2=80=98delay=E2=80=99 or in a thunk.

> +(define (narinfo-string store-path path-info key)

Docstring please.  :-)

> +(define (render-nar request store-item)
> +  "Render archive of the store path corresponding to STORE-ITEM."
> +  (let ((store-path (string-append %store-directory "/" store-item)))
> +    ;; The ISO-8859-1 charset *must* be used otherwise HTTP clients will
> +    ;; interpret the byte stream as UTF-8 and arbitrarily change invalid=
 byte
> +    ;; sequences.
> +    (if (file-exists? store-path)
> +        (values '((content-type . (application/x-nix-archive
> +                                   (charset . "ISO-8859-1"))))
> +                (lambda (port)
> +                  (write-file store-path port)))
> +        (not-found request))))

This is OK for now, but I just realized that this will be blocking the
server for the duration of the whole transfer.  Someone could DoS you by
substituting TeX Live.  ;-)

We=E2=80=99ll need a solution but it seems that it=E2=80=99ll be hard to av=
oid threads.

Thoughts?

> +(define (guix-publish . args)
> +  (with-error-handling
> +    (let* ((opts (parse-command-line args %options (list %default-option=
s)))

I had overlooked it but it should use plain =E2=80=98args-fold*=E2=80=99 in=
stead of
=E2=80=98parse-command-line=E2=80=99 (the latter handles $GUIX_BUILD_OPTION=
S and =E2=80=98guix
publish=E2=80=99 doesn=E2=80=99t build anything.)

> +           (store (open-connection)))

Use (with-store store body ...) instead.

OK to push with these changes.

Thanks!

Ludo=E2=80=99.