From: Simon Tournier <zimon.toutoune@gmail.com>
To: "Ludovic Courtès" <ludo@gnu.org>, 67072@debbugs.gnu.org
Cc: "Josselin Poiret" <dev@jpoiret.xyz>,
"Mathieu Othacehe" <othacehe@gnu.org>,
"Ludovic Courtès" <ludo@gnu.org>,
"Tobias Geerinckx-Rice" <me@tobias.gr>,
"Ricardo Wurmus" <rekado@elephly.net>,
"Christopher Baines" <guix@cbaines.net>
Subject: [bug#67072] [PATCH 4/4] weather: Report unauthorized substitute servers.
Date: Tue, 28 Nov 2023 14:14:23 +0100 [thread overview]
Message-ID: <87jzq2aukw.fsf@gmail.com> (raw)
In-Reply-To: <dc56e185b21eb0b3f4711e100d5e64c0aa2adc55.1699700050.git.ludo@gnu.org>
Hi,
On Sat, 11 Nov 2023 at 12:06, Ludovic Courtès <ludo@gnu.org> wrote:
> + #:use-module (guix pki)
Looking at what it drags, I notice:
--8<---------------cut here---------------start------------->8---
(define* (authorized-key? key #:optional (acl (current-acl)))
"Return #t if KEY (a canonical sexp) is an authorized public key for archive
imports according to ACL."
;; Note: ACL is kept in native sexp form to make 'authorized-key?' faster,
;; by not having to convert it with 'canonical-sexp->sexp' on each call.
;; TODO: We could use a better data type for ACLs.
(let ((key (canonical-sexp->sexp key)))
(match acl
(('acl
('entry subject-keys
('tag ('guix 'import)))
...)
(not (not (member key subject-keys))))
(_
(error "invalid access-control list" acl)))))
--8<---------------cut here---------------end--------------->8---
I know it is irrelevant with the patch at hand. Maybe not. :-)
1. Why this ’(not (not’ ?
2. When testing the patch, I have not done --sysconfdir=/etc and it
was not able to find the correct ACL. Somehow…
> +(define (check-narinfo-authorization narinfo)
> + "Print a warning when NARINFO is not signed by an authorized key."
> + (unless (valid-narinfo? narinfo)
…I entered in this part – hence the look up (guix pki) ;-). Well, my
mistake is hard to reproduce outside of Guix development tree but
’valid-narinfo?’ returns false for more cases than just
unauthorized-key. Therefore, the hint could be misleading.
Since we are discussing about an helper, I would run ’signature-case’
here in check-narinfo. For example, if the case is 'unauthorized-key,
then I would check is %acl-file exists. Maybe display the full
%acl-file explaining that the key is not in, etc.
Moreover, running “guix challenge coreutils” does not warn about
anything; when I was expected the same warning as “guix weather”.
Last, once sysconfig fixed, I get:
--8<---------------cut here---------------start------------->8---
guix weather: warning: could not determine current substitute URLs; using defaults
computing 1 package derivations for x86_64-linux...
looking for 2 store items on https://ci.guix.gnu.org...
guix weather: error: open-file: Permission denied: "/etc/guix/acl"
--8<---------------cut here---------------end--------------->8---
Hum? Maybe I am doing something wrong… The file /etc/guix/acl has the
permission:
-rw------- 1 root root 528 acl
Is it incorrect? Well, if all are allowed to read (chmod a+r) then
there is not error. And it displays the warning:
--8<---------------cut here---------------start------------->8---
guix weather: warning: could not determine current substitute URLs; using defaults
--8<---------------cut here---------------end--------------->8---
And that’s because the daemon is not supporting the operation. This
warning appears to me misleading: personally I think that I am
misconfigured something when that’s not the case. Instead, I would
display:
warning: using defaults substitute URLs
Cheers,
simon
next prev parent reply other threads:[~2023-11-28 15:44 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-11 11:03 [bug#67072] [PATCH 0/4] Helping diagnose substitute setup issues Ludovic Courtès
2023-11-11 11:06 ` [bug#67072] [PATCH 1/4] daemon: Implement ‘substitute-urls’ RPC Ludovic Courtès
2023-11-28 12:09 ` Simon Tournier
2023-12-02 10:13 ` Ludovic Courtès
2023-12-02 13:16 ` Simon Tournier
2023-11-11 11:06 ` [bug#67072] [PATCH 2/4] challenge: Use the same substitute URLs as guix-daemon Ludovic Courtès
2023-11-11 11:06 ` [bug#67072] [PATCH 3/4] weather: " Ludovic Courtès
2023-11-11 11:06 ` [bug#67072] [PATCH 4/4] weather: Report unauthorized substitute servers Ludovic Courtès
2023-11-28 13:14 ` Simon Tournier [this message]
2023-12-02 10:20 ` Ludovic Courtès
2023-12-02 13:31 ` Simon Tournier
2023-12-04 14:15 ` [bug#67072] [PATCH v2 0/4] Helping diagnose substitute setup issues Ludovic Courtès
2023-12-11 22:52 ` bug#67072: " Ludovic Courtès
2023-12-04 14:15 ` [bug#67072] [PATCH v2 1/4] daemon: Implement ‘substitute-urls’ RPC Ludovic Courtès
2023-12-04 14:15 ` [bug#67072] [PATCH v2 2/4] challenge: Use the same substitute URLs as guix-daemon Ludovic Courtès
2023-12-04 14:15 ` [bug#67072] [PATCH v2 3/4] weather: " Ludovic Courtès
2023-12-04 14:15 ` [bug#67072] [PATCH v2 4/4] weather: Report unauthorized substitute servers Ludovic Courtès
2023-11-27 17:21 ` [bug#67072] [PATCH 0/4] Helping diagnose substitute setup issues Ludovic Courtès
2023-11-28 13:17 ` Simon Tournier
2023-11-30 10:11 ` Emmanuel Agullo
2023-11-30 10:28 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87jzq2aukw.fsf@gmail.com \
--to=zimon.toutoune@gmail.com \
--cc=67072@debbugs.gnu.org \
--cc=dev@jpoiret.xyz \
--cc=guix@cbaines.net \
--cc=ludo@gnu.org \
--cc=me@tobias.gr \
--cc=othacehe@gnu.org \
--cc=rekado@elephly.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).