unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
* [bug#50892] [PATCH] guix-install.sh: Authorize all project build farms at once.
@ 2021-09-29 15:43 Tobias Geerinckx-Rice via Guix-patches via
  2021-09-29 16:49 ` Tobias Geerinckx-Rice via Guix-patches via
  2021-09-29 16:51 ` [bug#50892] [PATCH] guix-install.sh: Authorize all project build farms at once Maxim Cournoyer
  0 siblings, 2 replies; 6+ messages in thread
From: Tobias Geerinckx-Rice via Guix-patches via @ 2021-09-29 15:43 UTC (permalink / raw)
  To: 50892

* etc/guix-install.sh (sys_authorize_build_farms):
Iterate over all hosts.
---
 etc/guix-install.sh | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/etc/guix-install.sh b/etc/guix-install.sh
index b0d4a8b95e..e3b8485a50 100755
--- a/etc/guix-install.sh
+++ b/etc/guix-install.sh
@@ -1,21 +1,21 @@
 #!/bin/sh
 # GNU Guix --- Functional package management for GNU
 # Copyright © 2017 sharlatan <sharlatanus@gmail.com>
 # Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
 # Copyright © 2018 Efraim Flashner <efraim@flashner.co.il>
-# Copyright © 2019, 2020 Tobias Geerinckx-Rice <me@tobias.gr>
+# Copyright © 2019–2021 Tobias Geerinckx-Rice <me@tobias.gr>
 # Copyright © 2020 Morgan Smith <Morgan.J.Smith@outlook.com>
 # Copyright © 2020 Simon Tournier <zimon.toutoune@gmail.com>
 # Copyright © 2020 Daniel Brooks <db48x@db48x.net>
 # Copyright © 2021 Jakub Kądziołka <kuba@kadziolka.net>
 # Copyright © 2021 Chris Marusich <cmmarusich@gmail.com>
 # Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 #
 # This file is part of GNU Guix.
 #
 # GNU Guix is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 3 of the License, or (at
 # your option) any later version.
 #
 # GNU Guix is distributed in the hope that it will be useful, but
@@ -476,38 +476,45 @@ sys_enable_guix_daemon()
             ;;
     esac
 
     _msg "${INF}making the guix command available to other users"
 
     [ -e "$local_bin" ] || mkdir -p "$local_bin"
     ln -sf "${var_guix}/bin/guix"  "$local_bin"
 
     [ -e "$info_path" ] || mkdir -p "$info_path"
     for i in "${var_guix}"/share/info/*; do
         ln -sf "$i" "$info_path"
     done
 }
 
 sys_authorize_build_farms()
-{ # authorize the public key of the build farm
+{ # authorize the public key(s) of the build farm(s)
+    local hosts=(
+	ci.guix.gnu.org
+	bordeaux.guix.gnu.org
+    )
+
     if prompt_yes_no "Permit downloading pre-built package binaries from the \
-project's build farm? (yes/no)"; then
-        guix archive --authorize \
-             < "~root/.config/guix/current/share/guix/ci.guix.gnu.org.pub" \
-            && _msg "${PAS}Authorized public key for ci.guix.gnu.org"
-        else
-            _msg "${INF}Skipped authorizing build farm public keys"
+project's build farms? (yes/no)"; then
+        for host in "${hosts[@]}"; do
+            guix archive --authorize \
+                 < "~root/.config/guix/current/share/guix/$host.pub" \
+                && _msg "${PAS}Authorized public key for $host"
+        done
+    else
+        _msg "${INF}Skipped authorizing build farm public keys"
     fi
 }
 
 sys_create_init_profile()
 { # Define for better desktop integration
   # This will not take effect until the next shell or desktop session!
     [ -d "/etc/profile.d" ] || mkdir /etc/profile.d # Just in case
     cat <<"EOF" > /etc/profile.d/guix.sh
 # _GUIX_PROFILE: `guix pull` profile
 _GUIX_PROFILE="$HOME/.config/guix/current"
 export PATH="$_GUIX_PROFILE/bin${PATH:+:}$PATH"
 # Export INFOPATH so that the updated info pages can be found
 # and read by both /usr/bin/info and/or $GUIX_PROFILE/bin/info
 # When INFOPATH is unset, add a trailing colon so that Emacs
 # searches 'Info-default-directory-list'.
-- 
2.33.0





^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [bug#50892] [PATCH] guix-install.sh: Authorize all project build farms at once.
  2021-09-29 15:43 [bug#50892] [PATCH] guix-install.sh: Authorize all project build farms at once Tobias Geerinckx-Rice via Guix-patches via
@ 2021-09-29 16:49 ` Tobias Geerinckx-Rice via Guix-patches via
       [not found]   ` <87edtaf7sz.fsf_-_@gnu.org>
  2021-09-29 16:51 ` [bug#50892] [PATCH] guix-install.sh: Authorize all project build farms at once Maxim Cournoyer
  1 sibling, 1 reply; 6+ messages in thread
From: Tobias Geerinckx-Rice via Guix-patches via @ 2021-09-29 16:49 UTC (permalink / raw)
  Cc: 50892

[-- Attachment #1: Type: text/plain, Size: 269 bytes --]

Tobias Geerinckx-Rice via Guix-patches via 写道:
> +                 < 
> "~root/.config/guix/current/share/guix/$host.pub" \

This file is missing for bordeaux in the 1.3.0 release, so this 
would have to wait until the next one…

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [bug#50892] [PATCH] guix-install.sh: Authorize all project build farms at once.
  2021-09-29 15:43 [bug#50892] [PATCH] guix-install.sh: Authorize all project build farms at once Tobias Geerinckx-Rice via Guix-patches via
  2021-09-29 16:49 ` Tobias Geerinckx-Rice via Guix-patches via
@ 2021-09-29 16:51 ` Maxim Cournoyer
  1 sibling, 0 replies; 6+ messages in thread
From: Maxim Cournoyer @ 2021-09-29 16:51 UTC (permalink / raw)
  To: Tobias Geerinckx-Rice; +Cc: 50892

Tobias Geerinckx-Rice <me@tobias.gr> writes:

> * etc/guix-install.sh (sys_authorize_build_farms):
> Iterate over all hosts.
> ---
>  etc/guix-install.sh | 23 +++++++++++++++--------
>  1 file changed, 15 insertions(+), 8 deletions(-)
>
> diff --git a/etc/guix-install.sh b/etc/guix-install.sh
> index b0d4a8b95e..e3b8485a50 100755
> --- a/etc/guix-install.sh
> +++ b/etc/guix-install.sh
> @@ -1,21 +1,21 @@
>  #!/bin/sh
>  # GNU Guix --- Functional package management for GNU
>  # Copyright © 2017 sharlatan <sharlatanus@gmail.com>
>  # Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
>  # Copyright © 2018 Efraim Flashner <efraim@flashner.co.il>
> -# Copyright © 2019, 2020 Tobias Geerinckx-Rice <me@tobias.gr>
> +# Copyright © 2019–2021 Tobias Geerinckx-Rice <me@tobias.gr>
>  # Copyright © 2020 Morgan Smith <Morgan.J.Smith@outlook.com>
>  # Copyright © 2020 Simon Tournier <zimon.toutoune@gmail.com>
>  # Copyright © 2020 Daniel Brooks <db48x@db48x.net>
>  # Copyright © 2021 Jakub Kądziołka <kuba@kadziolka.net>
>  # Copyright © 2021 Chris Marusich <cmmarusich@gmail.com>
>  # Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
>  #
>  # This file is part of GNU Guix.
>  #
>  # GNU Guix is free software; you can redistribute it and/or modify it
>  # under the terms of the GNU General Public License as published by
>  # the Free Software Foundation; either version 3 of the License, or (at
>  # your option) any later version.
>  #
>  # GNU Guix is distributed in the hope that it will be useful, but
> @@ -476,38 +476,45 @@ sys_enable_guix_daemon()
>              ;;
>      esac
>  
>      _msg "${INF}making the guix command available to other users"
>  
>      [ -e "$local_bin" ] || mkdir -p "$local_bin"
>      ln -sf "${var_guix}/bin/guix"  "$local_bin"
>  
>      [ -e "$info_path" ] || mkdir -p "$info_path"
>      for i in "${var_guix}"/share/info/*; do
>          ln -sf "$i" "$info_path"
>      done
>  }
>  
>  sys_authorize_build_farms()
> -{ # authorize the public key of the build farm
> +{ # authorize the public key(s) of the build farm(s)
> +    local hosts=(
> +	ci.guix.gnu.org
> +	bordeaux.guix.gnu.org
> +    )
> +
>      if prompt_yes_no "Permit downloading pre-built package binaries from the \
> -project's build farm? (yes/no)"; then
> -        guix archive --authorize \
> -             < "~root/.config/guix/current/share/guix/ci.guix.gnu.org.pub" \
> -            && _msg "${PAS}Authorized public key for ci.guix.gnu.org"
> -        else
> -            _msg "${INF}Skipped authorizing build farm public keys"
> +project's build farms? (yes/no)"; then
> +        for host in "${hosts[@]}"; do
> +            guix archive --authorize \
> +                 < "~root/.config/guix/current/share/guix/$host.pub" \
> +                && _msg "${PAS}Authorized public key for $host"
> +        done
> +    else
> +        _msg "${INF}Skipped authorizing build farm public keys"
>      fi
>  }
>  
>  sys_create_init_profile()
>  { # Define for better desktop integration
>    # This will not take effect until the next shell or desktop session!
>      [ -d "/etc/profile.d" ] || mkdir /etc/profile.d # Just in case
>      cat <<"EOF" > /etc/profile.d/guix.sh
>  # _GUIX_PROFILE: `guix pull` profile
>  _GUIX_PROFILE="$HOME/.config/guix/current"
>  export PATH="$_GUIX_PROFILE/bin${PATH:+:}$PATH"
>  # Export INFOPATH so that the updated info pages can be found
>  # and read by both /usr/bin/info and/or $GUIX_PROFILE/bin/info
>  # When INFOPATH is unset, add a trailing colon so that Emacs
>  # searches 'Info-default-directory-list'.

Tested on a VM:

./guix-install.sh: line 500: ~root/.config/guix/current/share/guix/bordeaux.guix.gnu.org.pub: No such file or directory
root@ubuntu:~# echo $?
1

I think we should fetch the keys from our online repo, so we can ensure

1. they are available
2. they are up to date.

Thanks!

Maxim




^ permalink raw reply	[flat|nested] 6+ messages in thread

* [bug#50892] [PATCH] guix-install.sh: Authorize all project build farms at once.
       [not found]   ` <87edtaf7sz.fsf_-_@gnu.org>
@ 2022-12-08 21:27     ` pelzflorian (Florian Pelz)
  2022-12-09  9:01       ` bug#50892: bug#59781: [version 1.4.0rc1] install.sh script should authorize bordeaux Ludovic Courtès
       [not found]     ` <87ililzhx8.fsf@nckx>
  1 sibling, 1 reply; 6+ messages in thread
From: pelzflorian (Florian Pelz) @ 2022-12-08 21:27 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 59781, Tobias Geerinckx-Rice, 50892

Ludovic Courtès <ludo@gnu.org> writes:
> If there are no objections I’d like to push to ‘master’ and
> ‘version-1.4.0’ this modified version of your patch.

Thank you two, this patch works (on 1.3.0 only ci.guix.gnu.org, on
1.4.0rc1 also bordeaux, except when I decline authorization).

Regards,
Florian




^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#50892: bug#59781: [version 1.4.0rc1] install.sh script should authorize bordeaux
  2022-12-08 21:27     ` pelzflorian (Florian Pelz)
@ 2022-12-09  9:01       ` Ludovic Courtès
  0 siblings, 0 replies; 6+ messages in thread
From: Ludovic Courtès @ 2022-12-09  9:01 UTC (permalink / raw)
  To: pelzflorian (Florian Pelz); +Cc: 50892-done, Tobias Geerinckx-Rice, 59781-done

Hi,

"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>> If there are no objections I’d like to push to ‘master’ and
>> ‘version-1.4.0’ this modified version of your patch.
>
> Thank you two, this patch works (on 1.3.0 only ci.guix.gnu.org, on
> 1.4.0rc1 also bordeaux, except when I decline authorization).

Pushed to both branches.  Thanks to the two of you!

Ludo’.




^ permalink raw reply	[flat|nested] 6+ messages in thread

* [bug#50892] bug#59781: [version 1.4.0rc1] install.sh script should authorize bordeaux
       [not found]     ` <87ililzhx8.fsf@nckx>
@ 2022-12-09  9:09       ` Ludovic Courtès
  0 siblings, 0 replies; 6+ messages in thread
From: Ludovic Courtès @ 2022-12-09  9:09 UTC (permalink / raw)
  To: Tobias Geerinckx-Rice; +Cc: 59781, 50892

[-- Attachment #1: Type: text/plain, Size: 394 bytes --]

Hi,

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

> (Ugh, this patch is so ugly, all to work around that triplication in
> ~/.config/guix/current/share/guix/*.pub…  Would it be OK for ‘guix
> archive --authorize’ to silently ignore duplicate keys?)

Oh, good point.  I guess we could change ‘public-keys->acl’ to
deduplicate entries.  Maybe something along these lines:


[-- Attachment #2: Type: text/x-patch, Size: 1240 bytes --]

diff --git a/guix/pki.scm b/guix/pki.scm
index 6326e065e9..c5b2fb9634 100644
--- a/guix/pki.scm
+++ b/guix/pki.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2016, 2022 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -21,6 +21,7 @@ (define-module (guix pki)
   #:use-module (gcrypt pk-crypto)
   #:use-module ((guix utils) #:select (with-atomic-file-output))
   #:use-module ((guix build utils) #:select (mkdir-p))
+  #:autoload   (srfi srfi-1) (delete-duplicates)
   #:use-module (ice-9 match)
   #:use-module (ice-9 rdelim)
   #:use-module (ice-9 binary-ports)
@@ -61,9 +62,10 @@ (define (public-keys->acl keys)
   ;; want to have name certificates and to use subject names instead of
   ;; complete keys.
   `(acl ,@(map (lambda (key)
-                 `(entry ,(canonical-sexp->sexp key)
+                 `(entry ,key
                          (tag (guix import))))
-               keys)))
+               (delete-duplicates
+                (map canonical-sexp->sexp keys)))))
 
 (define %acl-file
   (string-append %config-directory "/acl"))

[-- Attachment #3: Type: text/plain, Size: 21 bytes --]


WDYT?

Ludo’.

^ permalink raw reply related	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2022-12-09  9:11 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-09-29 15:43 [bug#50892] [PATCH] guix-install.sh: Authorize all project build farms at once Tobias Geerinckx-Rice via Guix-patches via
2021-09-29 16:49 ` Tobias Geerinckx-Rice via Guix-patches via
     [not found]   ` <87edtaf7sz.fsf_-_@gnu.org>
2022-12-08 21:27     ` pelzflorian (Florian Pelz)
2022-12-09  9:01       ` bug#50892: bug#59781: [version 1.4.0rc1] install.sh script should authorize bordeaux Ludovic Courtès
     [not found]     ` <87ililzhx8.fsf@nckx>
2022-12-09  9:09       ` [bug#50892] " Ludovic Courtès
2021-09-29 16:51 ` [bug#50892] [PATCH] guix-install.sh: Authorize all project build farms at once Maxim Cournoyer

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).