From: Mathieu Othacehe <othacehe@gnu.org>
To: "Christopher Baines" <mail@cbaines.net>,
"Ludovic Courtès" <ludo@gnu.org>
Cc: 45104@debbugs.gnu.org
Subject: [bug#45104] pull: Add a "with-substitutes" option.
Date: Tue, 15 Dec 2020 11:24:55 +0100 [thread overview]
Message-ID: <878s9zfjt4.fsf@gnu.org> (raw)
In-Reply-To: <877dpktzot.fsf@gnu.org> ("Ludovic Courtès"'s message of "Mon, 14 Dec 2020 12:05:54 +0100")
Hey Chris and Ludo,
> Agreed on these points.
Yes I think you are definitely right on that point.
> (and (evaluation-complete? evaluation)
> (string=? "guix-modular-master"
> (evaluation-spec
> evaluation))))
On Berlin, evaluations can be completed for days, but the associated
builds never started. I think that searching directly for a completed
build provides a stronger guarantee of available substitutes.
> ;; Pull the latest commit fully built on berlin.guixsd.org.
> (list (channel
> (name 'guix)
> (url "https://git.savannah.gnu.org/git/guix.git")
> (commit (pk 'commit (latest-commit-successfully-built)))))
Providing such a procedure definitely makes sense though.
> (channel-with-substitutes-available
> (channel (name 'guix) …)
> "https://ci.guix.gnu.org"
> (specifications->manifest '("emacs" "guile")))
Yes it would be the ultimate thing! However, while finding the latest
commit with an available substitute for a derivation is quite easy,
finding a commit with available derivations for N derivations seems way
more difficult.
> It does mean that we’re asking users to do extra work. Perhaps there
> could still be a command-line option that would call
> ‘channel-with-substitutes-available’ for you, but at least it would take
> an explicit URL and clarify what Chris mentioned?
Yes, the user would then have to provide the channels that need
available substitutes, the URL to use for the substitution check and
maybe a manifest that also needs available substitutes.
The channels list could default to '("guix") and the URL to
"https://ci.guix.gnu.org" as it would be a sensible default for most
Guix users I think.
> BTW, doing all this is safer today because ‘guix pull’ will detect and
> prevent downgrades. Though an attacker who manages to break into
> ci.guix.gnu.org could cause all the users of
> ‘channel-with-substitutes-available’ to no longer receive updates or to
> receive them more slowly than they appear in Git simply by making CI
> even slower than it currently is.
Yes, the downgrade check definitely helps here, as it's often what will
happen with our lagging CI. Regarding the security aspect, I think that
breaking into ci.guix.gnu.org can have other way more impacting
consequences.
Thanks,
Mathieu
next prev parent reply other threads:[~2020-12-15 10:26 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-07 15:39 [bug#45104] pull: Add a "with-substitutes" option Mathieu Othacehe
2020-12-07 17:05 ` zimoun
2020-12-08 19:17 ` Christopher Baines
2020-12-14 11:05 ` Ludovic Courtès
2020-12-14 11:39 ` zimoun
2020-12-15 10:30 ` Mathieu Othacehe
2020-12-15 12:51 ` zimoun
2020-12-15 10:24 ` Mathieu Othacehe [this message]
2020-12-15 22:03 ` Ludovic Courtès
2021-01-29 13:23 ` Mathieu Othacehe
2021-01-29 13:36 ` Mathieu Othacehe
2021-01-31 16:18 ` Ludovic Courtès
2021-01-31 17:37 ` bug#45104: " Mathieu Othacehe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878s9zfjt4.fsf@gnu.org \
--to=othacehe@gnu.org \
--cc=45104@debbugs.gnu.org \
--cc=ludo@gnu.org \
--cc=mail@cbaines.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).