From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id yJA7OXffbWU+KQAAauVa8A:P1 (envelope-from ) for ; Mon, 04 Dec 2023 15:17:28 +0100 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id yJA7OXffbWU+KQAAauVa8A (envelope-from ) for ; Mon, 04 Dec 2023 15:17:28 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id AF8AC23C7A for ; Mon, 4 Dec 2023 15:17:27 +0100 (CET) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=EewQNjCU; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1701699447; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=V6nlTNYxN3hPiUhWN2/GPo/z97In72ac+nfAFwYN5Ak=; b=CwVWcfvyP/cjKZ5b2xZuD8bjMlrz4PsMrQTFuywqY/BGqzVR1OhX2rvuDHC9f+GwTW6N+2 X3WjqGeR50WXccCzeAwDPOE6bI0poSct23KYOtX6iOsl/de/84QrXCzz8EyDqOVGiG8Wtk JCK61hVvg+R9UpshXaUYEKJlxV2fgxjpIfaqlj2webiGBztD3rER3OSeAXZgoYVpTPIKNJ hb5r3r40Z3mt614Df+o+jQkyOcfoO3b8zz8VMeIJb9pOyyqOhtmMyUkub1zHUH2sA8hddA 2YZS+GMO/3VCy9D5j3rcIBan7KcvfJUy+V2QjKpmjvJ1sSlRp+5cZL+OrsqNng== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=EewQNjCU; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Seal: i=1; s=key1; d=yhetil.org; t=1701699447; a=rsa-sha256; cv=none; b=AD2lL7mflEp5qAKF+czYur0GaX7MMEH3BlOS3VNxhOE0+I4jx7a+sFaqu93x86d3ULIOAU ff2qZzhQqUO7/CzCemZwORnvQYjAKPaBw4UCp3rWyzxLsWjaDEq3Zu3xEZSy0E6YDUnzKz lSuacq2NQznAiNe1P8a5rCnnljStEZhXrWzhR24eihITqwmkOct3fBm5Ag2qEI2F0WfuJL NzKXr7tfcdLULE4ci2o54Fdeou16W3oeN3lOe6rsncYRfwtf4R1gaGt11hzoNakSlCPP// dqIMOXRx5ZmYpqGqx9ltT4Avvp0OY5Q3Cb2bJBGKAGgdhaQypoFYMXPHF7prgw== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rA9kn-0006gs-DL; Mon, 04 Dec 2023 09:16:57 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rA9kl-0006eG-VU for guix-patches@gnu.org; Mon, 04 Dec 2023 09:16:56 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rA9kl-0007XT-Jr; Mon, 04 Dec 2023 09:16:55 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rA9ku-0007gm-39; Mon, 04 Dec 2023 09:17:04 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#67072] [PATCH v2 4/4] weather: Report unauthorized substitute servers. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, rekado@elephly.net, zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org Resent-Date: Mon, 04 Dec 2023 14:17:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 67072 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 67072@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= , Christopher Baines , Josselin Poiret , Ludovic =?UTF-8?Q?Court=C3=A8s?= , Mathieu Othacehe , Ricardo Wurmus , Simon Tournier , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Christopher Baines , Josselin Poiret , Ludovic =?UTF-8?Q?Court=C3=A8s?= , Mathieu Othacehe , Ricardo Wurmus , Simon Tournier , Tobias Geerinckx-Rice Received: via spool by 67072-submit@debbugs.gnu.org id=B67072.170169941329501 (code B ref 67072); Mon, 04 Dec 2023 14:17:04 +0000 Received: (at 67072) by debbugs.gnu.org; 4 Dec 2023 14:16:53 +0000 Received: from localhost ([127.0.0.1]:33768 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rA9kj-0007fk-4W for submit@debbugs.gnu.org; Mon, 04 Dec 2023 09:16:53 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:52206) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rA9kT-0007eb-2O for 67072@debbugs.gnu.org; Mon, 04 Dec 2023 09:16:52 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rA9kD-0007Td-6T; Mon, 04 Dec 2023 09:16:21 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=V6nlTNYxN3hPiUhWN2/GPo/z97In72ac+nfAFwYN5Ak=; b=EewQNjCUvGEBD4K7zzxu gqAMWT2AGFCPTJfAXocBSmdTtQQMb62eDSYje7Bos0/4W6Su4m3PtZd1tOqx1pQh2gZOGbjbAUQfN SRrWuagPb7c17NzEsJlJTpC/A1v1ObGvTzzrAuJ8T8PYCIa9sfI8CB3FwRBND2fWZE3a1jcF0XfIU flWt35xepNj8ydGATX29ezsA5ZzkzhESU4lM9JvYRfYp13+AEEuT0TnymPFq0p2BwqfC5u0eDN0FM v0j/Wkc2yhbtqVSGa/wos8styP3XsWrgSgynBZXDh37La+r1dmJfbmMLM4h49D6wHkuDDbq0km/py IfdNFsXiDfz4Bg==; From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Mon, 4 Dec 2023 15:15:45 +0100 Message-ID: <00a2a9b80cad49f9809c0c339349573bdf7d1b9c.1701699075.git.ludo@gnu.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <875y1gj47u.fsf@gnu.org> References: <875y1gj47u.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Queue-Id: AF8AC23C7A X-Spam-Score: -4.34 X-Migadu-Scanner: mx10.migadu.com X-Migadu-Spam-Score: -4.34 X-TUID: 5nOUWL6D/Wnz The goal is to make it easier to diagnose substitute misconfiguration (where we’re passing a substitute URL whose corresponding key is not authorized). Suggested by Emmanuel Agullo. * guix/scripts/weather.scm (check-narinfo-authorization): New procedure. (report-server-coverage): Use it. * doc/guix.texi (Invoking guix weather): Document it. (Getting Substitutes from Other Servers): Add “Troubleshooting” frame. Change-Id: I0a049c39eefb10d6a06634c8b16aa86902769791 --- doc/guix.texi | 21 +++++++++++++++- guix/scripts/weather.scm | 53 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 71 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 74739c5392..f1780df5a1 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -4058,6 +4058,7 @@ Substitute Server Authorization @node Getting Substitutes from Other Servers @subsection Getting Substitutes from Other Servers +@c Note: This section name appears in a hint printed by 'guix weather'. @cindex substitute servers, adding more Guix can look up and fetch substitutes from several servers. This is @@ -4157,6 +4158,21 @@ Getting Substitutes from Other Servers substitute lookup can be slowed down if too many servers need to be contacted. +@quotation Troubleshooting +To diagnose problems, you can run @command{guix weather}. For example, +running: + +@example +guix weather coreutils +@end example + +@noindent +not only tells you which of the currently-configured servers has +substitutes for the @code{coreutils} package, it also reports whether +one of these servers is unauthorized. @xref{Invoking guix weather}, for +more information. +@end quotation + Note that there are also situations where one may want to add the URL of a substitute server @emph{without} authorizing its key. @xref{Substitute Authentication}, to understand this fine point. @@ -16437,7 +16453,10 @@ Invoking guix weather specified servers so you can have an idea of whether you'll be grumpy today. It can sometimes be useful info as a user, but it is primarily useful to people running @command{guix publish} (@pxref{Invoking guix -publish}). +publish}). Sometimes substitutes @emph{are} available but they are not +authorized on your system; @command{guix weather} reports it so you can +authorize them if you want (@pxref{Getting Substitutes from Other +Servers}). @cindex statistics, for substitutes @cindex availability of substitutes diff --git a/guix/scripts/weather.scm b/guix/scripts/weather.scm index 7e302fcea7..2f8985593d 100644 --- a/guix/scripts/weather.scm +++ b/guix/scripts/weather.scm @@ -35,6 +35,8 @@ (define-module (guix scripts weather) #:use-module ((guix build utils) #:select (every*)) #:use-module (guix substitutes) #:use-module (guix narinfo) + #:use-module (guix pki) + #:autoload (gcrypt pk-crypto) (canonical-sexp->string) #:use-module (guix http-client) #:use-module (guix ci) #:use-module (guix sets) @@ -185,6 +187,44 @@ (define (store-item-system store item) (() #f))) +(define (check-narinfo-authorization narinfo) + "Print a warning when NARINFO is not signed by an authorized key." + (define acl + (catch 'system-error + (lambda () + (current-acl)) + (lambda args + (warning (G_ "could not read '~a': ~a~%") + %acl-file (strerror (system-error-errno args))) + (warning (G_ "'~a' is unreadable, cannot determine whether \ +substitutes are authorized~%") + %acl-file) + #f))) + + (unless (or (not acl) (valid-narinfo? narinfo acl)) + (warning (G_ "substitutes from '~a' are unauthorized~%") + (narinfo-uri-base narinfo)) + ;; The "all substitutes" below reflects the fact that, in reality, it *is* + ;; possible to download "unauthorized" substitutes, as long as they match + ;; authorized substitutes. + (display-hint (G_ "To authorize all substitutes from @uref{~a} to be +downloaded, the following command needs to be run as root: + +@example +guix archive --authorize <string + (signature-subject (narinfo-signature narinfo)))))) + (define* (report-server-coverage server items #:key display-missing?) "Report the subset of ITEMS available as substitutes on SERVER. @@ -204,6 +244,12 @@ (define* (report-server-coverage server items #:make-progress-reporter (lambda* (total #:key url #:allow-other-keys) (progress-reporter/bar total))))) + (match narinfos + (() #f) + ((narinfo . _) + ;; Help diagnose missing substitute authorizations. + (check-narinfo-authorization narinfo))) + (let ((obtained (length narinfos)) (requested (length items)) (missing (lset-difference string=? @@ -586,8 +632,11 @@ (define-command (guix-weather . args) (with-store store (substitute-urls store)) (begin - (warning (G_ "could not determine current \ -substitute URLs; using defaults~%")) + ;; Could not determine the daemon's current + ;; substitute URLs, presumably because it's too + ;; old. + (warning (G_ "using default \ +substitute URLs~%")) %default-substitute-urls))) (systems (match (filter-map (match-lambda (('system . system) system) -- 2.41.0