From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id cGLRJPrqrl9RZAAA0tVLHw
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 13 Nov 2020 20:22:18 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id 0FaVIPrqrl+QKwAAB5/wlQ
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 13 Nov 2020 20:22:18 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 3E12494021E
	for <larch@yhetil.org>; Fri, 13 Nov 2020 20:22:17 +0000 (UTC)
Received: from localhost ([::1]:40852 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	id 1kdfaK-0007UL-3E
	for larch@yhetil.org; Fri, 13 Nov 2020 15:22:16 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:41216)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1kdfa7-0007Th-UB
 for guix-patches@gnu.org; Fri, 13 Nov 2020 15:22:04 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:37838)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1kdfa6-0006bq-Je
 for guix-patches@gnu.org; Fri, 13 Nov 2020 15:22:03 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1kdfa6-0007Ep-Eq
 for guix-patches@gnu.org; Fri, 13 Nov 2020 15:22:02 -0500
X-Loop: help-debbugs@gnu.org
Subject: [bug#44623] [PATCH] archive: Warn about replacing an ACL symlink.
Resent-From: Tobias Geerinckx-Rice <me@tobias.gr>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Fri, 13 Nov 2020 20:22:02 +0000
Resent-Message-ID: <handler.44623.B.160529886627753@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 44623
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 44623@debbugs.gnu.org
X-Debbugs-Original-To: guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.160529886627753
 (code B ref -1); Fri, 13 Nov 2020 20:22:02 +0000
Received: (at submit) by debbugs.gnu.org; 13 Nov 2020 20:21:06 +0000
Received: from localhost ([127.0.0.1]:49384 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1kdfZB-0007DY-Ka
 for submit@debbugs.gnu.org; Fri, 13 Nov 2020 15:21:05 -0500
Received: from lists.gnu.org ([209.51.188.17]:57734)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <me@tobias.gr>) id 1kdfZ7-0007Cl-57
 for submit@debbugs.gnu.org; Fri, 13 Nov 2020 15:21:04 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:40820)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@tobias.gr>) id 1kdfZ6-0007MH-V9
 for guix-patches@gnu.org; Fri, 13 Nov 2020 15:21:00 -0500
Received: from tobias.gr ([2a02:c205:2020:6054::1]:49526)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@tobias.gr>) id 1kdfZ3-0006Rk-IK
 for guix-patches@gnu.org; Fri, 13 Nov 2020 15:21:00 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018;
 bh=ZhsFcuVtQXMPipUz8Xu6Rcb2kRFGBRtWgVlvtrzzs34=; h=date:subject:to:
 from; b=mV4wi/FMAaj0Z7K20Pr7jIggTDq+cdj7P5AyJKdXlXNAAkoFZHoxcCC4i9CXQc
 cRHjYghznaUuW6fSnaX+2nNYTHYfclIjvHo97bc2YZjRzZm4qGzqIZ3kxs9R69o6ec7uLE
 2rkp7G92g9IbhITq6EiXHIOjA5f0gBOS+ORox4OQXHuMKChAQjvGVae3TwGeIv7AYXv1Mc
 16TyyGwJi0hTPztSakWWyn+KOa3Gm4FYbFwj2FFXy7xNrG4db6gOBs+5ZdLLzsiGqMG88k
 fD7Cb4mHL7oEwPT65QV7GUGp5OTD6xgblWX0tZPvRL8h4YGwa1Cczr9bO/7wZ7i4/hD0Hw
 ==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 3d69f3dc
 (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO)
 for <guix-patches@gnu.org>; Fri, 13 Nov 2020 20:20:57 +0000 (UTC)
Date: Fri, 13 Nov 2020 21:20:41 +0100
Message-Id: <20201113202041.2447-1-me@tobias.gr>
X-Mailer: git-send-email 2.29.2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr;
 helo=tobias.gr
X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache.
 That's all we know.
X-Spam_score_int: -16
X-Spam_score: -1.7
X-Spam_bar: -
X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1,
 DKIM_SIGNED=0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-Spam-Score: -2.4 (--)
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+larch=yhetil.org@gnu.org>
Reply-to: Tobias Geerinckx-Rice <me@tobias.gr>, Tobias Geerinckx-Rice via Guix-patches <guix-patches@gnu.org>
From: Tobias Geerinckx-Rice via Guix-patches via <guix-patches@gnu.org>
X-Scanner: ns3122888.ip-94-23-21.eu
Authentication-Results: aspmx1.migadu.com;
	dkim=fail (headers rsa verify failed) header.d=tobias.gr header.s=2018 header.b=mV4wi/FM;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org
X-Spam-Score: -1.51
X-TUID: nzCQ4r6/Xdyu

* guix/scripts/archive.scm (authorize-key): Warn when %ACL-FILE is a
symbolic link and print an additional hint for Guix System users.
---
 guix/scripts/archive.scm | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/guix/scripts/archive.scm b/guix/scripts/archive.scm
index 02557ce454..d284196f41 100644
--- a/guix/scripts/archive.scm
+++ b/guix/scripts/archive.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -310,6 +311,16 @@ the input port."
         (leave (G_ "failed to read public key: ~a: ~a~%")
                (error-source err) (error-string err)))))
 
+  ;; Warn about potentially volatile ACLs, but continue: system reconfiguration
+  ;; might not be possible without (newly-authorized) substitutes.
+  (when (and (access? %acl-file F_OK)
+             (eq? 'symlink (stat:type (lstat %acl-file))))
+    (warning (G_ "replacing symbolic link ~a with a regular file~%")
+             %acl-file)
+    (when (string-prefix? (%store-prefix) (readlink %acl-file))
+      (display-hint (G_ "On Guix System, add public keys to the
+@code{authorized-keys} field of your @code{operating-system} instead."))))
+
   (let ((key (read-key))
         (acl (current-acl)))
     (unless (eq? 'public-key (canonical-sexp-nth-data key 0))
-- 
2.29.2