From: Tobias Geerinckx-Rice via Guix-patches via <guix-patches@gnu.org>
To: "(" <paren@disroot.org>
Cc: 57016@debbugs.gnu.org
Subject: [bug#57016] [PATCH] scripts: Bail out when running pull/package commands as root.
Date: Sat, 06 Aug 2022 14:30:37 +0200 [thread overview]
Message-ID: <87r11ta52c@nckx> (raw)
In-Reply-To: <20220806114153.23153-1-paren@disroot.org>
[-- Attachment #1: Type: text/plain, Size: 1525 bytes --]
Hi (,
"( via Guix-patches" via 写道:
> A pretty common beginner mistake, it seems, is assuming that
> since
> every other package manager you've used requires root for
> installing,
> removing, and upgrading packages, Guix must too.
>
> This is an especially dangerous assumption when applied to `guix
> pull`,
Running ‘guix pull’ as root is fine. There was danger in running
‘sudo guix pull’ (with Guix System defaulting to ‘sudo -E’), but
that was addressed in 7c52cad0464175370c44bd4695e4c01a62b8268f.
If it doesn't trigger reliably, let's fix that.
Running ‘guix package’ and ‘guix upgrade’ as root is also fine.
If improper use of sudo/doas/… is the real issue, address *that*,
not this loose proxy.
Ludo' factored out some of the bits in
9be470b5d2bab7ad2048c95815fee2916d45f4ad. It could make sense to
factor it out further to check, e.g., whether the effective UID
matches that of the profile's parent directory. Why should
OpenBSD packages get to hoard all the pedantic ownership checks?
> since I seem to recall
A good trigger to go investigate; not sufficient to (wrongly)
imply ‘root bad’ and throw fatal errors at perfectly legitimate
use(r)s.
Conversely, if we reliably detect and report the true issue,
there's no need for ‘--allow-root’, which by the logic of this
patch would knowingly break things. We do not provide such
options.
Huge NAK on v2 I'm afraid, but looking forward to your thoughts,
T G-R
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]
next prev parent reply other threads:[~2022-08-06 13:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-06 11:41 [bug#57016] [PATCH] scripts: Bail out when running pull/package commands as root ( via Guix-patches via
2022-08-06 11:46 ` ( via Guix-patches via
2022-08-06 11:47 ` Maxime Devos
2022-08-06 11:48 ` ( via Guix-patches via
2022-08-06 11:56 ` ( via Guix-patches via
2022-08-06 11:55 ` [bug#57016] [PATCH v2] " ( via Guix-patches via
2022-08-06 12:30 ` Tobias Geerinckx-Rice via Guix-patches via [this message]
2022-08-06 13:30 ` bug#57016: Closing ( via Guix-patches via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r11ta52c@nckx \
--to=guix-patches@gnu.org \
--cc=57016@debbugs.gnu.org \
--cc=me@tobias.gr \
--cc=paren@disroot.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).