From: "Ludovic Courtès" <ludo@gnu.org>
To: 39819-done@debbugs.gnu.org
Cc: guix-devel@gnu.org
Subject: Re: bug#39819: [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default.
Date: Sun, 25 Oct 2020 01:08:52 +0200 [thread overview]
Message-ID: <87tuujgr23.fsf@gnu.org> (raw)
In-Reply-To: <20201021150823.20508-1-ludo@gnu.org> ("Ludovic Courtès"'s message of "Wed, 21 Oct 2020 17:08:22 +0200")
[-- Attachment #1: Type: text/plain, Size: 347 bytes --]
Hello!
I went ahead and pushed this as c6ef627c97e5e6a94688baf20892ae3429f86897
with the changes below, accounting for Vagrant’s comment and for the
fact that childhurds rely on the non-declarative behavior (which hadn’t
occurred to me before), as well as fixing other typos.
Let me know if anything is amiss!
Thanks,
Ludo’.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 2690 bytes --]
diff --git a/doc/guix.texi b/doc/guix.texi
index 021d430c39..efb4ea1c47 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -14690,14 +14690,14 @@ Whether to authorize the substitute keys listed in
@code{authorized-keys}---by default that of @code{@value{SUBSTITUTE-SERVER}}
(@pxref{Substitutes}).
-When @code{authorize-keys?} is true, @file{/etc/guix/acl} cannot be
+When @code{authorize-key?} is true, @file{/etc/guix/acl} cannot be
changed by invoking @command{guix archive --authorize}. You must
instead adjust @code{guix-configuration} as you wish and reconfigure the
system. This ensures that your operating system configuration file is
self-contained.
@quotation Note
-When booting or reconfiguring to a system where @code{authorize-keys?}
+When booting or reconfiguring to a system where @code{authorize-key?}
is true, the existing @file{/etc/guix/acl} file is backed up as
@file{/etc/guix/acl.bak} if it was determined to be a manually modified
file. This is to facilitate migration from earlier versions, which
@@ -14717,7 +14717,7 @@ Whether to use substitutes.
@item @code{substitute-urls} (default: @code{%default-substitute-urls})
The list of URLs where to look for substitutes by default.
-Support you would like to fetch substitutes from @code{guix.example.org}
+Suppose you would like to fetch substitutes from @code{guix.example.org}
in addition to @code{@value{SUBSTITUTE-SERVER}}. You will need to do
two things: (1) add @code{guix.example.org} to @code{substitute-urls},
and (2) authorize its signing key, having done appropriate checks
diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm
index edd0b644f5..eaf0bbde43 100644
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@@ -875,7 +875,16 @@ that will be listening to receive secret keys on port 1004, TCP."
(permit-root-login #t)
(allow-empty-passwords? #t)
(password-authentication? #t)))
- %base-services/hurd))))
+
+ ;; By default, the secret service introduces a pre-initialized
+ ;; /etc/guix/acl file in the childhurd. Thus, clear
+ ;; 'authorize-key?' so that it's not overridden at activation
+ ;; time.
+ (modify-services %base-services/hurd
+ (guix-service-type config =>
+ (guix-configuration
+ (inherit config)
+ (authorize-key? #f))))))))
(define-record-type* <hurd-vm-configuration>
hurd-vm-configuration make-hurd-vm-configuration
next prev parent reply other threads:[~2020-10-24 23:09 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-11 10:39 Declarative /etc/guix/acl? Ludovic Courtès
2020-10-11 11:07 ` Jan Nieuwenhuizen
[not found] ` <87v9ffppvf.fsf@gnu.org>
2020-10-12 20:26 ` Jan Nieuwenhuizen
2020-10-21 15:08 ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Ludovic Courtès
2020-10-21 16:06 ` Vagrant Cascadian
2020-10-24 23:08 ` Ludovic Courtès [this message]
2020-10-24 23:11 ` bug#39819: " Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tuujgr23.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=39819-done@debbugs.gnu.org \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).