From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id uO4YDkOP2F/cBwAA0tVLHw (envelope-from ) for ; Tue, 15 Dec 2020 10:26:11 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id gK7bCUOP2F+sGgAAbx9fmQ (envelope-from ) for ; Tue, 15 Dec 2020 10:26:11 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id EAEBA940222 for ; Tue, 15 Dec 2020 10:26:10 +0000 (UTC) Received: from localhost ([::1]:55364 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kp7Wz-0005KT-Oz for larch@yhetil.org; Tue, 15 Dec 2020 05:26:09 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:42208) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kp7Ws-0005K2-U2 for guix-patches@gnu.org; Tue, 15 Dec 2020 05:26:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:44169) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kp7Ws-00062J-ML for guix-patches@gnu.org; Tue, 15 Dec 2020 05:26:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kp7Ws-0007vt-Hv for guix-patches@gnu.org; Tue, 15 Dec 2020 05:26:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#45104] pull: Add a "with-substitutes" option. Resent-From: Mathieu Othacehe Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 15 Dec 2020 10:26:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45104 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Christopher Baines , Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 45104-submit@debbugs.gnu.org id=B45104.160802790830418 (code B ref 45104); Tue, 15 Dec 2020 10:26:02 +0000 Received: (at 45104) by debbugs.gnu.org; 15 Dec 2020 10:25:08 +0000 Received: from localhost ([127.0.0.1]:55715 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kp7W0-0007uY-HQ for submit@debbugs.gnu.org; Tue, 15 Dec 2020 05:25:08 -0500 Received: from eggs.gnu.org ([209.51.188.92]:48844) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kp7Vy-0007u4-AB for 45104@debbugs.gnu.org; Tue, 15 Dec 2020 05:25:06 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:48925) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kp7Vs-0005b1-6o; Tue, 15 Dec 2020 05:25:00 -0500 Received: from 225.71.114.78.rev.sfr.net ([78.114.71.225]:56324 helo=cervin) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kp7Vr-0006qz-5p; Tue, 15 Dec 2020 05:24:59 -0500 From: Mathieu Othacehe References: <87eek1vd4g.fsf@gnu.org> <87a6uohztw.fsf@cbaines.net> <877dpktzot.fsf@gnu.org> Date: Tue, 15 Dec 2020 11:24:55 +0100 In-Reply-To: <877dpktzot.fsf@gnu.org> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Mon, 14 Dec 2020 12:05:54 +0100") Message-ID: <878s9zfjt4.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 45104@debbugs.gnu.org Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -2.81 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: EAEBA940222 X-Spam-Score: -2.81 X-Migadu-Scanner: scn0.migadu.com X-TUID: SCUa7J3iaNMZ Hey Chris and Ludo, > Agreed on these points. Yes I think you are definitely right on that point. > (and (evaluation-complete? evaluation) > (string=3D? "guix-modular-master" > (evaluation-spec > evaluation)))) On Berlin, evaluations can be completed for days, but the associated builds never started. I think that searching directly for a completed build provides a stronger guarantee of available substitutes. > ;; Pull the latest commit fully built on berlin.guixsd.org. > (list (channel > (name 'guix) > (url "https://git.savannah.gnu.org/git/guix.git") > (commit (pk 'commit (latest-commit-successfully-built))))) Providing such a procedure definitely makes sense though. > (channel-with-substitutes-available > (channel (name 'guix) =E2=80=A6) > "https://ci.guix.gnu.org" > (specifications->manifest '("emacs" "guile"))) Yes it would be the ultimate thing! However, while finding the latest commit with an available substitute for a derivation is quite easy, finding a commit with available derivations for N derivations seems way more difficult. > It does mean that we=E2=80=99re asking users to do extra work. Perhaps t= here > could still be a command-line option that would call > =E2=80=98channel-with-substitutes-available=E2=80=99 for you, but at leas= t it would take > an explicit URL and clarify what Chris mentioned? Yes, the user would then have to provide the channels that need available substitutes, the URL to use for the substitution check and maybe a manifest that also needs available substitutes. The channels list could default to '("guix") and the URL to "https://ci.guix.gnu.org" as it would be a sensible default for most Guix users I think. > BTW, doing all this is safer today because =E2=80=98guix pull=E2=80=99 wi= ll detect and > prevent downgrades. Though an attacker who manages to break into > ci.guix.gnu.org could cause all the users of > =E2=80=98channel-with-substitutes-available=E2=80=99 to no longer receive= updates or to > receive them more slowly than they appear in Git simply by making CI > even slower than it currently is. Yes, the downgrade check definitely helps here, as it's often what will happen with our lagging CI. Regarding the security aspect, I think that breaking into ci.guix.gnu.org can have other way more impacting consequences. Thanks, Mathieu