From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id ODo8LvSr7mBGWQEAgWs5BA (envelope-from ) for ; Wed, 14 Jul 2021 11:18:44 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id gPH1KfSr7mAXPQAA1q6Kng (envelope-from ) for ; Wed, 14 Jul 2021 09:18:44 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id D7A2213210 for ; Wed, 14 Jul 2021 11:18:43 +0200 (CEST) Received: from localhost ([::1]:54190 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m3b2P-0003gY-Ln for larch@yhetil.org; Wed, 14 Jul 2021 05:18:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59654) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m3b24-0003VO-BQ for help-guix@gnu.org; Wed, 14 Jul 2021 05:18:20 -0400 Received: from mail-pg1-x529.google.com ([2607:f8b0:4864:20::529]:38673) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1m3b22-00006G-9b for help-guix@gnu.org; Wed, 14 Jul 2021 05:18:19 -0400 Received: by mail-pg1-x529.google.com with SMTP id h4so1768175pgp.5 for ; Wed, 14 Jul 2021 02:18:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=tHusI+t9l+pvZfrP0W9L8azSCCkdwKXSkaL6+EjR77E=; b=Eo+ikiBzVOT5tpsTjF9gu6sspYJswTP14gPDrEKeitwztqLIcFkGlDQ+bdm+/euB+G OxB8Aiz3OGJcb8ugAmF3/NW3sweKpSplptJXYB9mW+L4Vky964XDSwEuzSBXka/DsAd0 dOTZFx4yRdiXWST0SPV92U6H+OxCQGc+dpFkWb7ij/41VsbJOSid82ZEqB6zDFlU1ate idcpkCdo8AR+tgHf/7bw30r25zKvKpp0I0JbbmrIeuqNGoTGpMrvPVyFrtVNvixxvdXV qXtpLc+0HyaymV36F/a9mEo2ciCqzlrkOmLCUM4wsG3NtJEF8/KzL1gTCfiwLfWLQQNE ksgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=tHusI+t9l+pvZfrP0W9L8azSCCkdwKXSkaL6+EjR77E=; b=mh6AYHtGHcckQHVcD2oG0Ggz6ANjyxF5/ME5rFqHJaWR2jJIh77u5tOthXabmbVKhQ j/8O+zjNgc0SEsDQyDxKyXo5R4sPFvHVw3SoAm9FZPu45h+ZdYbJiE6GLqoGUR96vIKM EwBvPWsYeYNVmHSpPh6DqWIRPPn55HJo3fvAs2Dmlg09mtS+08gosTMitdzQPM4Vfe6t wzYwkMOKRdCG1yeRvMLdD1etr9OMiRdE5iVr5EAKOTLrbKGgTc098pphkbLfHOyd47BP V3V9oMzZgiq5/BWQGsBef9699ZPMKN6cpBBmf9wnobpuCdHc/Ae2HNYWte6CF4TjEcum LirA== X-Gm-Message-State: AOAM5311typzhcR3fED2l+8OZXNUMA/WosimtBl1nTVqtGtFQFdrrNZl XkJxv0SP25A+mM4HXaeFUExAp17k8Ha3/g== X-Google-Smtp-Source: ABdhPJy/fcAamsUpw/zCZGBiobOndfcFIrwUQCww5vlaM2W6CusCW5y4SpjC6MDnJ7qKWEvIkre05g== X-Received: by 2002:a63:f901:: with SMTP id h1mr8669717pgi.69.1626254295517; Wed, 14 Jul 2021 02:18:15 -0700 (PDT) Received: from garuda-lan ([2601:601:9d01:3f90::b00d]) by smtp.gmail.com with ESMTPSA id f17sm5222875pjj.21.2021.07.14.02.18.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jul 2021 02:18:14 -0700 (PDT) From: Chris Marusich To: Lo Peter Subject: Re: Fwd: SSH in git-fetch References: Date: Wed, 14 Jul 2021 02:18:10 -0700 In-Reply-To: (Lo Peter's message of "Wed, 14 Jul 2021 00:07:18 +0800") Message-ID: <87zgupz225.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=2607:f8b0:4864:20::529; envelope-from=cmmarusich@gmail.com; helo=mail-pg1-x529.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1626254324; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=tHusI+t9l+pvZfrP0W9L8azSCCkdwKXSkaL6+EjR77E=; b=GUQOw0wixtUMchj8vCMA2K1WPQ7+c0OeuGWWDerJjQTcrZG/Zg+k3ddDFrsHed/a6v2K6H +40DF9Tks00vR9GYXjhELWDbEZCEuLo+ksxzaNlE0Xea3lxQYhXRMhVdg8NqwuYvQeMsy0 RAoijBre+2tlJ1T/fUhqqW9CwsNq7/ucfuvsi2M/5znBG+tqjsHflKyw4pPL9ly/lBOG63 M5MmwMmQfsstGcrn0MVbb3l35xLidfmSYRSl83OvbqXVfRNzcGw00DFl4bqoiTToBmaNEn uFvWgb4NeJSinjTYbVIAHG6/n8HhTdkDDwnBZmFNNuSCX8+ojwtliN9/YSKFfA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1626254324; a=rsa-sha256; cv=none; b=cCME9S5BxXnfxmVQyBr6PImxqIrTBEK780sMMixIVfh8Gd36HcP/VPejCR5kmRbd7CDOk6 WK9SDEqHuN6hAy5sMlfzDFfHR+REH9TOZYxjK0bcv2V0wmv9JOUo//95qzx25V49zHyoNP nL1myKEUNQLTnQOBQWO1QKs+ketUc6YhahZcrRkjWHLKdgB6EEyhJqO14Tff0vherg6w40 QKT+KDDNPbyQW/cFtolqVPqrFSmvd7bQw1ri6ryhwggogXrbR/PdkqPsJRUQxksVi+id0T 8U+bGQQ68ZxTCb4OsHGiP6CJvpQwYaskDTW0DAy+DtH1v92TBHaw3LmbWf4xXA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=Eo+ikiBz; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Spam-Score: -2.70 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=Eo+ikiBz; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Queue-Id: D7A2213210 X-Spam-Score: -2.70 X-Migadu-Scanner: scn0.migadu.com X-TUID: yOVggGNS0vGa --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Peter, Lo Peter writes: > Is it that git-fetch does not support fetching over SSH? As Luis mentioned, for a package, if you use "git-checkout" as the origin and provide a Git SSH URL, it will work. I'm not sure if an equivalent exists for other transmission methods, but I doubt it (e.g., using Mercurial over SSH to check out a Mercurial repository, or using SFTP to fetch a release tarball over the SSH File Transfer Protocol). For channels, it will work if you just provide a Git SSH URL in your channels.scm file. I tested this just now on my own machines, and it definitely works. However, since Guix uses libgit2 under the hood, rather than invoking the "ssh" command, as you noticed there may be subtle differences between how a vanilla "ssh" command works vs. how Guix will handle the SSH connection. In any case, running an SSH agent might prove useful. In both the case of fetching a package via git-checkout and fetching a channel, Guix will attempt to fetch the repository "outside" the build environment, so if you are running an agent, it will try to use it. I'm not sure if Guix will honor your SSH config, though. If you are not wedded to SSH, then another option that may be better for reproducibility is to use HTTPS with the user and password encoded in the URL. This is nice because it doesn't require a user to to configure SSH correctly on their local machine or provision an authorized SSH key just to fetch the channel or the packages. In some situations, embedding a user name and password in the URL in the package definition may be sufficient, but in other situations, it may not meet your security requirements (the URLs will wind up in the store and thus be visible to anyone else logged into the system); it's up to you to decide what's appropriate for your situation. Leo Prikler writes: > Yes, git-fetch does not support fetching over SSH. "Cannot run ssh" is > the error returned because the ssh program is missing at fetch time, > but even if it existed, you'd get a different error, namely one of > lacking keys. You'd have to set up Guix to authenticate itself as you > for pulling the source and while that is in theory possible, there is a > potential security risk attached to most ways of solving it and no > clear path forward. > > Furthermore, such a feature, were it integrated in Guix, is likely only > to be used for nonfree software and thus located closely to such > software itself. It sounds like you're suggesting that Guix should avoid making it easy to integrate with existing access control mechanisms because access control is only useful for non-free software. I disagree with that. Access control is useful, and it is often necessary for security or compliance reasons, even in the world of free software. The issue of controlling access to a particular repository of software is orthogonal to the question of whether that software is free software. It is common for someone to want to maintain a local copy of free software and also to control access to that copy. In many organizations, it is a hard requirement that all software is securely stored and can only be accessed by authorized entities. This is true regardless of whether the software is free software. It is also easy to imagine that some people or organizations might prefer or be required to develop all software, even free software, privately within their own secure network. If Guix makes it difficult for developers to use it in an environment where access control is required, Guix is less likely to be used in those environments, and I think that would be a missed opportunity. I don't think it helps the free software movement to encourage the idea that access control is somehow antithetical to free software. It isn't. Even the FSF controls access to its software repositories via SSH. Savannah's projects may be available anonymously via FTP or other means, but the SSH URLs are only usable if you're an FSF associate member. Similarly, great free software like Kallithea exists, which is a tool for hosting source code repositories, restricting access to them, and making it easy to collaborate with others. There are many, many free software projects that integrate well with access control systems, and it does not mean they are somehow not good members of the free software community. In short, the need for access control is not unusual, and it does not go against the spirit of free software. It should be easy to use Guix in environments where access control is required. I'm glad that channels and packages can be used over SSH and that we have a variety of options besides SSH for controlling access, too. However, SSH is a very common way to control access these days, and I think there are opportunities to improve that support in Guix. >> I would like to prompt the use of Guix for per-project management in >> my small team of data scientists, so we would need a private channel >> for a few internal R packages. The above problem is a real blocker. >> Any help is greatly appreciated. > I don't think this has to necessarily be a blocker. You can point git- > fetch to file:// URIs, so your channel could have file:///path/to/repo > and it'd work under the assumption that your scientists run git pull on > those repos frequently enough (you could automate that with a script, > perhaps even one written in Guile/a handwritten Guix extension). If > you have company/university intranet, you could also expose those > internal package over that on a well-known address, that's not > reachable from outside. These solutions can work, but because they require extra steps to implement, they are probably less attractive than using Git over SSH. =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAmDuq9IVHGNtbWFydXNp Y2hAZ21haWwuY29tAAoJEN1AmhXYIkadIigQAMGV9+HEkgaxo6PtixaxqC/obKlm 4v6OOSLWPRt5hkNyYOf4evyEGKq7eZa/OGEC+emdcvlxeZme8GaqYRaYxPeCxA9R pW211Hk+GsvI9NDEejypIVB7a0pp0pxNMRvyWqOvoSLtmf1C/2EF6P1/wOtxQUxm GiAcQ9O1/0yt0BoJ/tG8mJv+w2xkzatuMS7O5MmaDPv1mCWigsa/Ex5bM6UHNmRv us/iDACakIvqn6CYyEXbHFCe8d2/8Z2yiFlw+EqTqnErb6h+IM3jCrHIzUxE/k6w /pbbg4r0Mmb4560BLfAOi3Q907xYUdXL3O/VBYPoesiKHCfetbs9TrLkLwgm0oa7 qM2Hj5tfTt/lBTO01VOzhN9D9gHX80b7G1ocDb5KM8Xn4ayS0ARK+FQPlVmNCdVy FjlPbDIk5F+jtz/rZLXtmILzmWTm8RruGiNa+Tme5ykNAJ1Hy20Mi0VWRlaeaWTr Z6Ed4RnaL3NP7Z4u/aGm9TDe17c/xi1eFlp4IPDSVHSuBZwKj1s7FqZnrk1M3JZx dCsrW4JqX6baXPnyq3ryiP2017nrHRu/UR/aiAO/fGl4EbgvzwPrKgWhMWXqUK53 EEfNO9XVggVLLIUUbL4S8RTHdU2qLJzjYpWHoxeXFbsyJqJROoVWOqL53FBOW+Z7 30x5F8BIjlQV5btr =6lH4 -----END PGP SIGNATURE----- --=-=-=--