From: "Ludovic Courtès" <ludo@gnu.org>
To: 67072@debbugs.gnu.org
Cc: "Ludovic Courtès" <ludo@gnu.org>,
"Christopher Baines" <guix@cbaines.net>,
"Josselin Poiret" <dev@jpoiret.xyz>,
"Ludovic Courtès" <ludo@gnu.org>,
"Mathieu Othacehe" <othacehe@gnu.org>,
"Ricardo Wurmus" <rekado@elephly.net>,
"Simon Tournier" <zimon.toutoune@gmail.com>,
"Tobias Geerinckx-Rice" <me@tobias.gr>
Subject: [bug#67072] [PATCH v2 4/4] weather: Report unauthorized substitute servers.
Date: Mon, 4 Dec 2023 15:15:45 +0100 [thread overview]
Message-ID: <00a2a9b80cad49f9809c0c339349573bdf7d1b9c.1701699075.git.ludo@gnu.org> (raw)
In-Reply-To: <875y1gj47u.fsf@gnu.org>
The goal is to make it easier to diagnose substitute
misconfiguration (where we’re passing a substitute URL whose
corresponding key is not authorized).
Suggested by Emmanuel Agullo.
* guix/scripts/weather.scm (check-narinfo-authorization): New procedure.
(report-server-coverage): Use it.
* doc/guix.texi (Invoking guix weather): Document it.
(Getting Substitutes from Other Servers): Add “Troubleshooting” frame.
Change-Id: I0a049c39eefb10d6a06634c8b16aa86902769791
---
doc/guix.texi | 21 +++++++++++++++-
guix/scripts/weather.scm | 53 ++++++++++++++++++++++++++++++++++++++--
2 files changed, 71 insertions(+), 3 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 74739c5392..f1780df5a1 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -4058,6 +4058,7 @@ Substitute Server Authorization
@node Getting Substitutes from Other Servers
@subsection Getting Substitutes from Other Servers
+@c Note: This section name appears in a hint printed by 'guix weather'.
@cindex substitute servers, adding more
Guix can look up and fetch substitutes from several servers. This is
@@ -4157,6 +4158,21 @@ Getting Substitutes from Other Servers
substitute lookup can be slowed down if too many servers need to be
contacted.
+@quotation Troubleshooting
+To diagnose problems, you can run @command{guix weather}. For example,
+running:
+
+@example
+guix weather coreutils
+@end example
+
+@noindent
+not only tells you which of the currently-configured servers has
+substitutes for the @code{coreutils} package, it also reports whether
+one of these servers is unauthorized. @xref{Invoking guix weather}, for
+more information.
+@end quotation
+
Note that there are also situations where one may want to add the URL of
a substitute server @emph{without} authorizing its key.
@xref{Substitute Authentication}, to understand this fine point.
@@ -16437,7 +16453,10 @@ Invoking guix weather
specified servers so you can have an idea of whether you'll be grumpy
today. It can sometimes be useful info as a user, but it is primarily
useful to people running @command{guix publish} (@pxref{Invoking guix
-publish}).
+publish}). Sometimes substitutes @emph{are} available but they are not
+authorized on your system; @command{guix weather} reports it so you can
+authorize them if you want (@pxref{Getting Substitutes from Other
+Servers}).
@cindex statistics, for substitutes
@cindex availability of substitutes
diff --git a/guix/scripts/weather.scm b/guix/scripts/weather.scm
index 7e302fcea7..2f8985593d 100644
--- a/guix/scripts/weather.scm
+++ b/guix/scripts/weather.scm
@@ -35,6 +35,8 @@ (define-module (guix scripts weather)
#:use-module ((guix build utils) #:select (every*))
#:use-module (guix substitutes)
#:use-module (guix narinfo)
+ #:use-module (guix pki)
+ #:autoload (gcrypt pk-crypto) (canonical-sexp->string)
#:use-module (guix http-client)
#:use-module (guix ci)
#:use-module (guix sets)
@@ -185,6 +187,44 @@ (define (store-item-system store item)
(()
#f)))
+(define (check-narinfo-authorization narinfo)
+ "Print a warning when NARINFO is not signed by an authorized key."
+ (define acl
+ (catch 'system-error
+ (lambda ()
+ (current-acl))
+ (lambda args
+ (warning (G_ "could not read '~a': ~a~%")
+ %acl-file (strerror (system-error-errno args)))
+ (warning (G_ "'~a' is unreadable, cannot determine whether \
+substitutes are authorized~%")
+ %acl-file)
+ #f)))
+
+ (unless (or (not acl) (valid-narinfo? narinfo acl))
+ (warning (G_ "substitutes from '~a' are unauthorized~%")
+ (narinfo-uri-base narinfo))
+ ;; The "all substitutes" below reflects the fact that, in reality, it *is*
+ ;; possible to download "unauthorized" substitutes, as long as they match
+ ;; authorized substitutes.
+ (display-hint (G_ "To authorize all substitutes from @uref{~a} to be
+downloaded, the following command needs to be run as root:
+
+@example
+guix archive --authorize <<EOF
+~a
+EOF
+@end example
+
+Alternatively, on Guix System, you can add the signing key above to the
+@code{authorized-keys} field of @code{guix-configuration}.
+
+See \"Getting Substitutes from Other Servers\" in the manual for more
+information.")
+ (narinfo-uri-base narinfo)
+ (canonical-sexp->string
+ (signature-subject (narinfo-signature narinfo))))))
+
(define* (report-server-coverage server items
#:key display-missing?)
"Report the subset of ITEMS available as substitutes on SERVER.
@@ -204,6 +244,12 @@ (define* (report-server-coverage server items
#:make-progress-reporter
(lambda* (total #:key url #:allow-other-keys)
(progress-reporter/bar total)))))
+ (match narinfos
+ (() #f)
+ ((narinfo . _)
+ ;; Help diagnose missing substitute authorizations.
+ (check-narinfo-authorization narinfo)))
+
(let ((obtained (length narinfos))
(requested (length items))
(missing (lset-difference string=?
@@ -586,8 +632,11 @@ (define-command (guix-weather . args)
(with-store store
(substitute-urls store))
(begin
- (warning (G_ "could not determine current \
-substitute URLs; using defaults~%"))
+ ;; Could not determine the daemon's current
+ ;; substitute URLs, presumably because it's too
+ ;; old.
+ (warning (G_ "using default \
+substitute URLs~%"))
%default-substitute-urls)))
(systems (match (filter-map (match-lambda
(('system . system) system)
--
2.41.0
next prev parent reply other threads:[~2023-12-04 14:17 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-11 11:03 [bug#67072] [PATCH 0/4] Helping diagnose substitute setup issues Ludovic Courtès
2023-11-11 11:06 ` [bug#67072] [PATCH 1/4] daemon: Implement ‘substitute-urls’ RPC Ludovic Courtès
2023-11-28 12:09 ` Simon Tournier
2023-12-02 10:13 ` Ludovic Courtès
2023-12-02 13:16 ` Simon Tournier
2023-11-11 11:06 ` [bug#67072] [PATCH 2/4] challenge: Use the same substitute URLs as guix-daemon Ludovic Courtès
2023-11-11 11:06 ` [bug#67072] [PATCH 3/4] weather: " Ludovic Courtès
2023-11-11 11:06 ` [bug#67072] [PATCH 4/4] weather: Report unauthorized substitute servers Ludovic Courtès
2023-11-28 13:14 ` Simon Tournier
2023-12-02 10:20 ` Ludovic Courtès
2023-12-02 13:31 ` Simon Tournier
2023-12-04 14:15 ` [bug#67072] [PATCH v2 0/4] Helping diagnose substitute setup issues Ludovic Courtès
2023-12-11 22:52 ` bug#67072: " Ludovic Courtès
2023-12-04 14:15 ` [bug#67072] [PATCH v2 1/4] daemon: Implement ‘substitute-urls’ RPC Ludovic Courtès
2023-12-04 14:15 ` [bug#67072] [PATCH v2 2/4] challenge: Use the same substitute URLs as guix-daemon Ludovic Courtès
2023-12-04 14:15 ` [bug#67072] [PATCH v2 3/4] weather: " Ludovic Courtès
2023-12-04 14:15 ` Ludovic Courtès [this message]
2023-11-27 17:21 ` [bug#67072] [PATCH 0/4] Helping diagnose substitute setup issues Ludovic Courtès
2023-11-28 13:17 ` Simon Tournier
2023-11-30 10:11 ` Emmanuel Agullo
2023-11-30 10:28 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00a2a9b80cad49f9809c0c339349573bdf7d1b9c.1701699075.git.ludo@gnu.org \
--to=ludo@gnu.org \
--cc=67072@debbugs.gnu.org \
--cc=dev@jpoiret.xyz \
--cc=guix@cbaines.net \
--cc=me@tobias.gr \
--cc=othacehe@gnu.org \
--cc=rekado@elephly.net \
--cc=zimon.toutoune@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).