From: "Ludovic Courtès" <ludo@gnu.org>
To: Mathieu Othacehe <othacehe@gnu.org>
Cc: 45104@debbugs.gnu.org
Subject: [bug#45104] pull: Add a "with-substitutes" option.
Date: Tue, 15 Dec 2020 23:03:45 +0100 [thread overview]
Message-ID: <875z52loam.fsf@gnu.org> (raw)
In-Reply-To: <878s9zfjt4.fsf@gnu.org> (Mathieu Othacehe's message of "Tue, 15 Dec 2020 11:24:55 +0100")
Hi,
Mathieu Othacehe <othacehe@gnu.org> skribis:
>> (and (evaluation-complete? evaluation)
>> (string=? "guix-modular-master"
>> (evaluation-spec
>> evaluation))))
>
> On Berlin, evaluations can be completed for days, but the associated
> builds never started. I think that searching directly for a completed
> build provides a stronger guarantee of available substitutes.
Yes, something like you proposed probably makes more sense.
My point is just that we could make the procedure available as part of
the API and document it as something people can use in their channels
file.
>> ;; Pull the latest commit fully built on berlin.guixsd.org.
>> (list (channel
>> (name 'guix)
>> (url "https://git.savannah.gnu.org/git/guix.git")
>> (commit (pk 'commit (latest-commit-successfully-built)))))
>
> Providing such a procedure definitely makes sense though.
>
>> (channel-with-substitutes-available
>> (channel (name 'guix) …)
>> "https://ci.guix.gnu.org"
>> (specifications->manifest '("emacs" "guile")))
>
> Yes it would be the ultimate thing! However, while finding the latest
> commit with an available substitute for a derivation is quite easy,
> finding a commit with available derivations for N derivations seems way
> more difficult.
Right!
>> It does mean that we’re asking users to do extra work. Perhaps there
>> could still be a command-line option that would call
>> ‘channel-with-substitutes-available’ for you, but at least it would take
>> an explicit URL and clarify what Chris mentioned?
>
> Yes, the user would then have to provide the channels that need
> available substitutes, the URL to use for the substitution check and
> maybe a manifest that also needs available substitutes.
>
> The channels list could default to '("guix") and the URL to
> "https://ci.guix.gnu.org" as it would be a sensible default for most
> Guix users I think.
Yes, choosing good defaults can make it less intimidating.
>> BTW, doing all this is safer today because ‘guix pull’ will detect and
>> prevent downgrades. Though an attacker who manages to break into
>> ci.guix.gnu.org could cause all the users of
>> ‘channel-with-substitutes-available’ to no longer receive updates or to
>> receive them more slowly than they appear in Git simply by making CI
>> even slower than it currently is.
>
> Yes, the downgrade check definitely helps here, as it's often what will
> happen with our lagging CI. Regarding the security aspect, I think that
> breaking into ci.guix.gnu.org can have other way more impacting
> consequences.
Yeah, though here we’re opening a new vulnerability channel, independent
of substitutes. It changes the threat model.
Thanks,
Ludo’.
next prev parent reply other threads:[~2020-12-15 22:04 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-07 15:39 [bug#45104] pull: Add a "with-substitutes" option Mathieu Othacehe
2020-12-07 17:05 ` zimoun
2020-12-08 19:17 ` Christopher Baines
2020-12-14 11:05 ` Ludovic Courtès
2020-12-14 11:39 ` zimoun
2020-12-15 10:30 ` Mathieu Othacehe
2020-12-15 12:51 ` zimoun
2020-12-15 10:24 ` Mathieu Othacehe
2020-12-15 22:03 ` Ludovic Courtès [this message]
2021-01-29 13:23 ` Mathieu Othacehe
2021-01-29 13:36 ` Mathieu Othacehe
2021-01-31 16:18 ` Ludovic Courtès
2021-01-31 17:37 ` bug#45104: " Mathieu Othacehe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=875z52loam.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=45104@debbugs.gnu.org \
--cc=othacehe@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).