* wip-signed-archives progress report @ 2014-03-26 23:02 Ludovic Courtès 2014-03-27 16:16 ` Nikita Karetnikov 2014-03-30 21:54 ` Support for signed substitutes pushed Ludovic Courtès 0 siblings, 2 replies; 10+ messages in thread From: Ludovic Courtès @ 2014-03-26 23:02 UTC (permalink / raw) To: guix-devel hydra.gnu.org now signs binaries. More precisely, it signs the meta-data of binaries, aka. “narinfos”: --8<---------------cut here---------------start------------->8--- $ wget -q -O - http://hydra.gnu.org/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk.narinfo StorePath: /gnu/store/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3 URL: nar/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3 Compression: bzip2 NarHash: sha256:02xnn63ib2zs0k2dvkk9f6k7d4g1s6pm1ryjlzg3h98b88bch7n9 NarSize: 100956560 References: 1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3 250yb9lr5018sc1092xb0fikarqsh55r-findutils-4.4.2 2ygn4ncnhrpr61rssa6z0d9x22si0va3-libjpeg-8d 34lb360x0m8ilmqlzmvk1s2rgm416l5s-gdk-pixbuf-2.28.2 394ijzg3g53i77q9400j22w1wamcjkxs-xz-5.0.4 3b0179h37dd19xc1k73cy8s75ja4pmba-grep-2.18 3j9cmj0l4g37gi804y8yvnig0yqgm2xg-gzip-1.6 499l505sasqwxcimsvf7h6if2bnyq785-cairo-1.12.16 6ax9s08vya8dsfda8yr0swk5g3f0b189-atk-2.10.0 6z7k9ms4sf367c3phl7djhb740ly3dqi-gcc-4.8.2 7zdhgp0n1518lvfn8mb96sxqfmvqrl7v-libxrender-0.9.7 8f15savrvf13z1z9hi5cb5l6akdx4gzr-zlib-1.2.7 91l8glwrsv0cdc53viq4i0x0x7qjrbgj-make-4.0 a9pdkvz3xiyp01xl8gcl1y6mjij0h86k-pkg-config-0.27.1 cvc6x0brfnrxsrk2f48c6dhh4brf05d9-coreutils-8.22 d12n5r59rhvc2b86agsp2gzsad41gr3p-pango-1.34.1 fkmxw4d9xrabvpg3mv2l529cw7gw27n5-libtasn1-3.4 hf5kklv837xbfcv6gc7gpsj36l69j3sj-glibc-2.19 hg75n2sbpmwnxw4v4bvn1i304r5s3dfh-libtiff-4.0.3 imc4v341rb93k8rialj5baxzdh63w2xr-nettle-2.7.1 j96wdn8q41jd62n6p6viv2wl9l2100b3-gtk+-2.24.21 jm0qk1n234f7l8s8zp8fpa13m8w91ikv-diffutils-3.3 lxszay94rraffzfjmzlvpa5z02h9xlfz-gnutls-3.2.12 m56m1y8inkplafq2859vaflwrwa0c3jf-which-2.20 malv41q53gmwvrzm6mfpv7g4s95rzxik-libsm-1.2.1 n1chwrwzq94120d3zfcyd9yr11r0jbsb-sed-4.2.2 naxqxdf7f6lfpy4h481h8j8hs2r44v09-libpng-1.5.17 nsv3rg9i3rn29j1nk4lr26pxazpmd75g-tar-1.27.1 nw5y8klybqh3wn0xc66b1dfjafs5hybv-freetype-2.4.11 plw2fk911b33n75ylmrqkfwkhwg75ydv-binutils-2.24 pvvizw77i06pjq7kv1iz57kl68xd7bnr-libxpm-3.5.10 q6v9b91x3hcikmnf6s3vhjzpjdrkdp6y-texinfo-5.2 qca6ipcph0rx8fsmcbib1qphqgv2rhl0-libxft-2.3.1 qfvvhq9m6jfsn7k9a4rzik3p6hmdq397-libx11-1.5.0 r26x0ibxcg8h71j01dcyc27lpa7kc87f-patch-2.7.1 rrbw3d1dl4njp2nnb84x8mlnmhdcvfxp-libxml2-2.9.0 sw5gnvc1q14pyiw5d7xc47xcy942gsf5-gawk-4.1.0 v5wr09jhn17ami1k844r6y6n3sy6y0kr-fontconfig-2.10.93 vkgwsi1vi2k91y22clf42z2qxydyxfbb-bzip2-1.0.6 vw8ipma5jgy2a5nczwh9bxsc99w67yy5-glib-2.39.1 wfppwmx7lsqm0hpachkzs90m0c1zqxiv-ld-wrapper-0 wfrjbxjapgqb9pqnwck35r8kb9gj435i-harfbuzz-0.9.22 xa3hd1y4yx0z18ya3zk2p6zlc0f2hr3g-libice-1.0.8 xhd2xdv16b64ajkdd7pbkklrq5fmn28i-bash-4.3 yagg8zjdz367qiwspm8ssgny47inrn8f-alsa-lib-1.0.27.1 yxaqk5vj602m6waasvrg30hm09ln501w-giflib-4.2.3 zjwc4x53rpim4j3hmspzpv0k3n4kgv0n-dbus-1.6.4 zysrgzapv5vzjqrbcz2y3ksi9w651876-ncurses-5.9 Deriver: 2nbrvsf3g3xl3bwh3cfvb2rvwsc8n0kn-emacs-24.3.drv System: x86_64-linux Signature: 1;hydra.gnu.org;KHNpZ25hdHVyZSAKIChkYXRhIAogIChmbGFncyBwa2NzMSkKICAoaGFzaCBzaGEyNTYgI0EzM0UxOEI2QUU3QTZFNjEwN0I0MDQ2NjMxQkNGOTFBM0EwNTQwMTlEQTA1NkI0NjA5MDg0QThDNTlBRjA1RjMjKQogICkKIChzaWctdmFsIAogIChyc2EgCiAgIChzICM2NzgzMjA2MzBBRTA3QkM2M0ZBRTQ5MkY2QkI0OEJGMTBBMDAwNThGRTY1OTE2NDgzQjZFNERBRDk2NTlBQzY0OTRFMjVCQzlEMUIwMTMzN0QxMEFDRTRFNDYyODI3OEI0ODVFMDM2NkU4Mzc3MzE3QUM4M0ZGQkQ5NkU2MDJCRUZBOENBQTk4QzlBRDJCRTJDRjJCRjQ4QzYzQUVFNTFBNDNGMkJBM0ZGNjI0NTc0NTU0NjJGNjY1Mjg2OTBBRkU3ODJCMEJBNjdDMjgxMkU5MjZGNzNCOEZEMzQyQTZDMzgyNEZCNkFBQTBCQTk2RjhCM0FENjgzREQzOUU3ODNDQzI0MzQ2NjBGNjRFQTU5OUU4QkEwNkREMTczM0RFQjc0QjM2OEUzMTIwMkI0NjZBOUEzOTc1ODM4Q0MzNjFDODlBMkQ0MzEzMzlDMjkxRkM3Q0JBQzUzMDM4Qjg0MTE1MjZCMjU1NjE4MTBCQTEzRkJGMERERUFDM0E3MDJFOURCNTFENDQyNTQ1QjIzOTAxMzA4QjdBRjk2QUY3MTdBRTNGODBBNTk1MzNFMUJENUU2QTZBNzQ0NDJDRkIwNzFENTM2RDYyODhDMkRCRURBNTlCOTEwMjVFRTRFMENERDU1NTEwOUIxM0YwQzhBRUY4MkNCOTZBRDlEMkYzRjhFRjU4QzYxQUEwNzg0OUVEMkFEMDE2QkZCMjU0RDdDQTlEMTY2NkJFMDE3M0E0QzI4NkEyOTdEM0ZFQ0MyNjdGMTUxQTdFMEREN0FDRjc3MDg1MjRFODk3NzgxMjU5Qzc5MUYyQjExNURBNUNEMjU3RjE2QzJCREQwRDIyOUY2RDA4QkY0RjNCQjUzQjM2QjU5MjAzQzIxODkyQ0FCOUI2MUZGRkVEREE1QjY3MEI0MDY5OTYxNzQ5Rjg2QUVGQzMzMjQ5RUQzNDQ3MjVGRDkyRkI0NzI1MzgxQkRFM0VENjIwQ0IwNDRGQjMyMjVGMkU3Q0I4ODdGNjVFRTgyMkNGNTg4ODMwMkRCMUY2RkNERTVCQkYxMzAxNTczRTU0MTZCM0E3Q0FDODYyMkE2OUUwNTk5QjAyRDhBQUQwNDc1NENBMjcxOTdCMjkzNjIzMTVCNTQ2RTg4NzhFRDc2REZBOTAyN0RGQjc0MkEzMDVBRkUwQjNDRTBGRjNCNEE3MUI1NTU5ODIwMjM2OUFFMDY2MEZDNTU0QjYzQ0ZFQjRFRUU4MkU4RjZCMTFERDU5NUY3Rjg0NDI1RUExRkYyNjU5Q0EyMkE3QUMzNDBCQTZGNjNDNzU2QzdCRUU4NTlCQzlDQTQ0RDk3OTc1QzYwMkMwRjk4MTRDMUQ2QzczMDg3ODZEIykKICAgKQogICkKIChwdWJsaWMta2V5IAogIChyc2EgCiAgIChuICMwMERCMTYzNEUzRDlERkFDOTdBRTQ3MzREQUU5NjhDQ0IxNUVFNDgxNUM4MkJEQzI1NDg4M0RCQjQ5RkUxRUYzMjI2OEU4MkQ0QkJFMEUzNTI5OEM0ODFDOURBMTU1MTY0MkZBRkYwNUFFQzFBNjA3MTJGMUJCNEJFN0QyNUQ3RUZGN0E0Rjg5NzA0QTVBOUFDMjMyODcwQ0I5RjI0NzZDM0I1MzhBMEU5OTBBODgyNURFQjczMDgxRDMxNzAwMUZCOEExODg2MDBGMkZFRjVGNUY1NzBFODU3RjNFRTQzNTUwNzdBM0MzOTE4RUQ3MjcyM0E1NkJBNTVDNDY2RDQwMDY1ODk3NEQ3REFEMUY2QjdCNjNDMTkyQjlDMjcwNEQ5OEJCRkYxQzNCRDVCOEVGMTFBOEFEQzgzQUNCOEZEOEU5RjFFNzkyRkRBRDI2MjQxNUQxM0YyREVFNTVGMzMwOTA4Q0ZEQTlDM0M4QzMyQjY0RjdERDA4ODQ1N0QzNEY0NDVFMkUyQzgzQzZENjgwNTQ5REM5QjZFNjU3M0I4OTQ5NjU2NzIwNEVEMjg1RTY3QTI3OUYyRjY2NzA4MEJBOTQxRDgwRDAxNUNFODdCMEZCNkE5MUE5OUNFQ0M3RDkxRDJEMjEwQjAwRTRCNkU2MTFEQTUxREIwMDhGMURGRTNGQ0FDNkIyNzM5M0ZBNzgxRDQ1RjlBMTVGQzdCODc4NUEzRTg2QkE2NTkyQjI5MTZDQTIyQ0YxRTQwRkM4NUY4NUNBQ0E1OTA0NjExNTRGNThGMzU4MEIxNjM5ODkwOEVGMzIwNzZGNDExMjk5QzI4NzI3Qzk0RDg4QjZBNjE4Rjg0REQ3M0FFQkVEODI3MEJDQjY2OTA5MjhDQjFCRjI1MEMzNUUxRjZCRjNCMUIzMEQwNUJBMjQ2RUNFOEY2OUQ5MDY1REUyNkY0QjNFMEQ4MTRENzBBOUMyN0NCNUI3QjA1MEM5MDkwNTkwRDNBOUVGODMzNzRGMjY0M0U1NDQ2RkJEMzlEREIxMjREQkY2REZEQUE2RDE4RTI1NjBBRDBDQkZBMTFDOTU5QzlCNzMxNkJGMTk5NjNBMTkxOTY3MDU0RTlGRDk3REMxNEQ3MTA4MkIzMEIxQzkwQTQ2RTg5OTY2ODI0NzRDM0JDQjUxQkEwODgyOTU4ODk3QjZERDM1RTQxQjUxNzREMEE2QkNERTk3Qjg5MDQzRTk1QkQxQjcwREU2MURBNjY2ODkzQjQxNzE5NkExODAwMDU0NjZCQzNBNzQyRkRGMDRFODlCMDQ0NjBFM0U2QkM3MkU3RjFCNUZFQTVCMzA5MkZFRTU1MUEzQzQ0N0MxMkUxMDRFNjUjKQogICAoZSAjMDEwMDAxIykKICAgKQogICkKICkK --8<---------------cut here---------------end--------------->8--- The Signature line above is a base64-encoded canonical sexp signature (as for ‘guix archive’.) With Hydra now ready, I’ve done some testing with Nikita’s cool work on adding support for authentication/authorization of signed binaries. Here’s a sample session, using the internal interface to ‘guix substitute-binary’, with wip-signed-archives: --8<---------------cut here---------------start------------->8--- $ echo "have /gnu/store/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3" | sudo ./pre-inst-env guix substitute-binary --query $ sudo ./pre-inst-env guix substitute-binary --substitute /gnu/store/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3 foo guix substitute-binary: error: unauthorized public key $ cat hydra-key.pub | sudo guix archive --authorize $ echo "have /gnu/store/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3" | sudo ./pre-inst-env guix substitute-binary --query /gnu/store/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3 --8<---------------cut here---------------end--------------->8--- What we see here is that ‘has-substitutes?’ requests simply return #f if a substitute is available but is invalid (lacks a signature, or has a wrong signature, or is signed by an unauthorized key.) ‘--substitute’ requests error out when that happens. Nikita: comments welcome on the two commits I just pushed in wip-signed-archives. I’ll try to add tests for that, but overall, it seems to be getting into shape! Thanks, Ludo’. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: wip-signed-archives progress report 2014-03-26 23:02 wip-signed-archives progress report Ludovic Courtès @ 2014-03-27 16:16 ` Nikita Karetnikov 2014-03-27 23:34 ` Ludovic Courtès 2014-03-30 21:54 ` Support for signed substitutes pushed Ludovic Courtès 1 sibling, 1 reply; 10+ messages in thread From: Nikita Karetnikov @ 2014-03-27 16:16 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 259 bytes --] > Nikita: comments welcome on the two commits I just pushed in > wip-signed-archives. Thanks for working on it. One question: in the past, you told me to avoid ‘false-if-exception’. If it’s an issue here, can we replace it with something else? [-- Attachment #2: Type: application/pgp-signature, Size: 835 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: wip-signed-archives progress report 2014-03-27 16:16 ` Nikita Karetnikov @ 2014-03-27 23:34 ` Ludovic Courtès 0 siblings, 0 replies; 10+ messages in thread From: Ludovic Courtès @ 2014-03-27 23:34 UTC (permalink / raw) To: Nikita Karetnikov; +Cc: guix-devel Nikita Karetnikov <nikita@karetnikov.org> skribis: >> Nikita: comments welcome on the two commits I just pushed in >> wip-signed-archives. > > Thanks for working on it. One question: in the past, you told me to > avoid ‘false-if-exception’. If it’s an issue here, can we replace it > with something else? What did I say? :-) (We have a saying in French: “do what I say, not what I do”. ;-)) I used it in two places: (false-if-exception (and=> signature narinfo-signature->canonical-sexp)) and: (define (valid-narinfo? narinfo) "Return #t if NARINFO's signature is not valid." (false-if-exception (begin (assert-valid-narinfo narinfo) #t))) ‘false-if-exception’ should indeed be used with care, because it hides every error (including unbound var errors and such!), so it could be hiding errors that really ought to be reported. In the above cases I considered it OK, because the set of exceptions that can possibly be raised is limited, and because the outcome of ‘false-if-exception’ is conservative (that is, at worst all narinfos will be treated as if they were unsigned or invalid.) Does it makes sense? Ludo’. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Support for signed substitutes pushed 2014-03-26 23:02 wip-signed-archives progress report Ludovic Courtès 2014-03-27 16:16 ` Nikita Karetnikov @ 2014-03-30 21:54 ` Ludovic Courtès 2014-03-31 18:24 ` Alex Sassmannshausen ` (2 more replies) 1 sibling, 3 replies; 10+ messages in thread From: Ludovic Courtès @ 2014-03-30 21:54 UTC (permalink / raw) To: guix-devel [-- Attachment #1: Type: text/plain, Size: 6214 bytes --] I just pushed support for signed substitutes (which is wip-signed-archives plus many tests, documentation, and some improvements) in ‘master’. From now on, ‘guix substitute-binary’ automatically authenticates substitutes, and ignores those not signed by an authorized public key. By default, no key is authorized. On my machine, ‘guix build emacs n’ with 40 substitutes needed takes ~4.8 seconds instead of ~3.5 seconds before (wall clock.) There’s probably room for improvement, but there’s also the fact that it has to check all these signatures. Please run ‘make check’, try it, and report any problems. Note that commit bf59c06 adds the public key used to sign substitutes from hydra.gnu.org. This commit is GPG-signed by me, like this message. It’s a 4096-bit RSA key (RSA, not Curve25519, so that users of libgcrypt < 1.6 can use it too): (public-key (rsa (n #00DB1634E3D9DFAC97AE4734DAE968CCB15EE4815C82BDC254883DBB49FE1EF32268E82D4BBE0E35298C481C9DA1551642FAFF05AEC1A60712F1BB4BE7D25D7EFF7A4F89704A5A9AC232870CB9F2476C3B538A0E990A8825DEB73081D317001FB8A188600F2FEF5F5F570E857F3EE4355077A3C3918ED72723A56BA55C466D400658974D7DAD1F6B7B63C192B9C2704D98BBFF1C3BD5B8EF11A8ADC83ACB8FD8E9F1E792FDAD262415D13F2DEE55F330908CFDA9C3C8C32B64F7DD088457D34F445E2E2C83C6D680549DC9B6E6573B89496567204ED285E67A279F2F667080BA941D80D015CE87B0FB6A91A99CECC7D91D2D210B00E4B6E611DA51DB008F1DFE3FCAC6B27393FA781D45F9A15FC7B8785A3E86BA6592B2916CA22CF1E40FC85F85CACA590461154F58F3580B16398908EF32076F411299C28727C94D88B6A618F84DD73AEBED8270BCB6690928CB1BF250C35E1F6BF3B1B30D05BA246ECE8F69D9065DE26F4B3E0D814D70A9C27CB5B7B050C9090590D3A9EF83374F2643E5446FBD39DDB124DBF6DFDAA6D18E2560AD0CBFA11C959C9B7316BF19963A191967054E9FD97DC14D71082B30B1C90A46E8996682474C3BCB51BA0882958897B6DD35E41B5174D0A6BCDE97B89043E95BD1B70DE61DA666893B417196A180005466BC3A742FDF04E89B04460E3E6BC72E7F1B5FEA5B3092FEE551A3C447C12E104E65#) (e #010001#) ) ) I would very much welcome review and feedback. The documentation (appended below) and tests provide a good starting point. Thanks again to Nikita for all the good work! Ludo’. 3.3 Substitutes =============== Guix supports transparent source/binary deployment, which means that it can either build things locally, or download pre-built items from a server. We call these pre-built items "substitutes"—they are substitutes for local build results. In many cases, downloading a substitute is much faster than building things locally. Substitutes can be anything resulting from a derivation build (*note Derivations::). Of course, in the common case, they are pre-built package binaries, but source tarballs, for instance, which also result From derivation builds, can be available as substitutes. The ‘hydra.gnu.org’ server is a front-end to a build farm that builds packages from the GNU distribution continuously for some architectures, and makes them available as substitutes. To allow Guix to download substitutes from ‘hydra.gnu.org’, you must add its public key to the access control list (ACL) of archive imports, using the ‘guix archive’ command (*note Invoking guix archive::). Doing so implies that you trust ‘hydra.gnu.org’ to not be compromised and to serve genuine substitutes. This public key is installed along with Guix, in ‘PREFIX/share/guix/hydra.gnu.org.pub’, where PREFIX is the installation prefix of Guix. If you installed Guix from source, make sure you checked the GPG signature of ‘guix-0.6.tar.gz’, which contains this public key file. Then, you can run something like this: # guix archive --authorize < hydra.gnu.org.pub Once this is in place, the output of a command like ‘guix build’ should change from something like: $ guix build emacs --dry-run The following derivations would be built: /gnu/store/yr7bnx8xwcayd6j95r2clmkdl1qh688w-emacs-24.3.drv /gnu/store/x8qsh1hlhgjx6cwsjyvybnfv2i37z23w-dbus-1.6.4.tar.gz.drv /gnu/store/1ixwp12fl950d15h2cj11c73733jay0z-alsa-lib-1.0.27.1.tar.bz2.drv /gnu/store/nlma1pw0p603fpfiqy7kn4zm105r5dmw-util-linux-2.21.drv … to something like: $ guix build emacs --dry-run The following files would be downloaded: /gnu/store/pk3n22lbq6ydamyymqkkz7i69wiwjiwi-emacs-24.3 /gnu/store/2ygn4ncnhrpr61rssa6z0d9x22si0va3-libjpeg-8d /gnu/store/71yz6lgx4dazma9dwn2mcjxaah9w77jq-cairo-1.12.16 /gnu/store/7zdhgp0n1518lvfn8mb96sxqfmvqrl7v-libxrender-0.9.7 … This indicates that substitutes from ‘hydra.gnu.org’ are usable and will be downloaded, when possible, for future builds. Guix ignores substitutes that are not signed, or that are not signed by one of the keys listed in the ACL. It also detects and raise an error when attempting to use a substitute that has been tampered with. The substitute mechanism can be disabled globally by running ‘guix-daemon’ with ‘--no-substitutes’ (*note Invoking guix-daemon::). It can also be disabled temporarily by passing the ‘--no-substitutes’ option to ‘guix package’, ‘guix build’, and other command-line tools. Today, each individual’s control over their own computing is at the mercy of institutions, corporations, and groups with enough power and determination to subvert the computing infrastructure and exploit its weaknesses. While using ‘hydra.gnu.org’ substitutes can be convenient, we encourage users to also build on their own, or even run their own build farm, such that ‘hydra.gnu.org’ is less of an interesting target. Guix has the foundations to maximize build reproducibility (*note Features::). In most cases, independent builds of a given package or derivation should yield bit-identical results. Thus, through a diverse set of independent package builds, we can strengthen the integrity of our systems. In the future, we want Guix to have support to publish and retrieve binaries to/from other users, in a peer-to-peer fashion. If you would like to discuss this project, join us on <guix-devel@gnu.org>. [-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Support for signed substitutes pushed 2014-03-30 21:54 ` Support for signed substitutes pushed Ludovic Courtès @ 2014-03-31 18:24 ` Alex Sassmannshausen 2014-03-31 20:00 ` Ludovic Courtès 2014-04-01 22:01 ` Ludovic Courtès 2014-04-03 17:21 ` Andreas Enge 2 siblings, 1 reply; 10+ messages in thread From: Alex Sassmannshausen @ 2014-03-31 18:24 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 732 bytes --] Hello, I ran into some problems setting up substitution: when running # guix archive --authorize < hydra.gnu.org.pub guix persistently returned guix archive: error: No such file or directory I was finally able to resolve this problem by # mkdir /usr/local/etc/guix In config.scm %config-directory is either $NIX_CONF_DIR or /usr/local/etc/guix. This is used as the directory for the acl file. I imagine that directory is set during ./configure. Maybe this directory should be created if necessary? Other than that, everything now seems to be working as suggested by the instructions so congrats to you and Nikita for your hard work! Please find a tiny patch attached fixing a typo in the documentation. Best wishes, Alex [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: Typo fix --] [-- Type: text/x-diff, Size: 954 bytes --] From 99fb1eed13590ac070a86b22444d7b040c2e7276 Mon Sep 17 00:00:00 2001 From: Alex Sassmannshausen <alex.sassmannshausen@gmail.com> Date: Mon, 31 Mar 2014 20:08:26 +0200 Subject: [PATCH] doc: fix typo. * doc/guix.texi (Substitutes): add a missing 's'. --- doc/guix.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/guix.texi b/doc/guix.texi index 5bd7dbd..3d76f48 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -979,7 +979,7 @@ This indicates that substitutes from @code{hydra.gnu.org} are usable and will be downloaded, when possible, for future builds. Guix ignores substitutes that are not signed, or that are not signed by -one of the keys listed in the ACL. It also detects and raise an error +one of the keys listed in the ACL. It also detects and raises an error when attempting to use a substitute that has been tampered with. The substitute mechanism can be disabled globally by running -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: Support for signed substitutes pushed 2014-03-31 18:24 ` Alex Sassmannshausen @ 2014-03-31 20:00 ` Ludovic Courtès 0 siblings, 0 replies; 10+ messages in thread From: Ludovic Courtès @ 2014-03-31 20:00 UTC (permalink / raw) To: Alex Sassmannshausen; +Cc: guix-devel Alex Sassmannshausen <alex.sassmannshausen@gmail.com> skribis: > I ran into some problems setting up substitution: when running > # guix archive --authorize < hydra.gnu.org.pub > guix persistently returned > guix archive: error: No such file or directory > > I was finally able to resolve this problem by > # mkdir /usr/local/etc/guix > > In config.scm %config-directory is either $NIX_CONF_DIR or > /usr/local/etc/guix. This is used as the directory for the acl file. > > I imagine that directory is set during ./configure. Maybe this directory > should be created if necessary? Indeed. Commit de28fef should fix this. > Other than that, everything now seems to be working as suggested by the > instructions so congrats to you and Nikita for your hard work! Thanks for testing! :-) > Please find a tiny patch attached fixing a typo in the documentation. Applied. Ludo’. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Support for signed substitutes pushed 2014-03-30 21:54 ` Support for signed substitutes pushed Ludovic Courtès 2014-03-31 18:24 ` Alex Sassmannshausen @ 2014-04-01 22:01 ` Ludovic Courtès 2014-04-03 17:21 ` Andreas Enge 2 siblings, 0 replies; 10+ messages in thread From: Ludovic Courtès @ 2014-04-01 22:01 UTC (permalink / raw) To: guix-devel ludo@gnu.org (Ludovic Courtès) skribis: > On my machine, ‘guix build emacs n’ with 40 substitutes needed takes > ~4.8 seconds instead of ~3.5 seconds before (wall clock.) This is down to ~3.8 seconds with today’s commits. Ludo’. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Support for signed substitutes pushed 2014-03-30 21:54 ` Support for signed substitutes pushed Ludovic Courtès 2014-03-31 18:24 ` Alex Sassmannshausen 2014-04-01 22:01 ` Ludovic Courtès @ 2014-04-03 17:21 ` Andreas Enge 2014-04-03 19:48 ` Ludovic Courtès 2 siblings, 1 reply; 10+ messages in thread From: Andreas Enge @ 2014-04-03 17:21 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel Excellent work, thank you! On Sun, Mar 30, 2014 at 11:54:10PM +0200, Ludovic Courtès wrote: > Please run ‘make check’, try it, and report any problems. Note that > commit bf59c06 adds the public key used to sign substitutes from > hydra.gnu.org. This commit is GPG-signed by me, like this message. > It’s a 4096-bit RSA key (RSA, not Curve25519, so that users of > libgcrypt < 1.6 can use it too): Are we limited to exactly one signature, or could hydra.gnu.org sign with two keys, a legacy and a modern one? Andreas ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Support for signed substitutes pushed 2014-04-03 17:21 ` Andreas Enge @ 2014-04-03 19:48 ` Ludovic Courtès 2014-04-03 20:45 ` Andreas Enge 0 siblings, 1 reply; 10+ messages in thread From: Ludovic Courtès @ 2014-04-03 19:48 UTC (permalink / raw) To: Andreas Enge; +Cc: guix-devel Andreas Enge <andreas@enge.fr> skribis: > Excellent work, thank you! You’re welcome. :-) Does it work for you? > On Sun, Mar 30, 2014 at 11:54:10PM +0200, Ludovic Courtès wrote: >> Please run ‘make check’, try it, and report any problems. Note that >> commit bf59c06 adds the public key used to sign substitutes from >> hydra.gnu.org. This commit is GPG-signed by me, like this message. >> It’s a 4096-bit RSA key (RSA, not Curve25519, so that users of >> libgcrypt < 1.6 can use it too): > > Are we limited to exactly one signature, or could hydra.gnu.org sign with > two keys, a legacy and a modern one? It can only sign with one key. Eventually we can start requiring libgcrypt 1.6, but I felt it’s too early for that. Ludo’. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Support for signed substitutes pushed 2014-04-03 19:48 ` Ludovic Courtès @ 2014-04-03 20:45 ` Andreas Enge 0 siblings, 0 replies; 10+ messages in thread From: Andreas Enge @ 2014-04-03 20:45 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel On Thu, Apr 03, 2014 at 09:48:55PM +0200, Ludovic Courtès wrote: > Andreas Enge <andreas@enge.fr> skribis: > > Excellent work, thank you! > You’re welcome. :-) Does it work for you? Definitely, otherwise I would have complained ;-) Andreas ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-04-03 20:46 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-03-26 23:02 wip-signed-archives progress report Ludovic Courtès 2014-03-27 16:16 ` Nikita Karetnikov 2014-03-27 23:34 ` Ludovic Courtès 2014-03-30 21:54 ` Support for signed substitutes pushed Ludovic Courtès 2014-03-31 18:24 ` Alex Sassmannshausen 2014-03-31 20:00 ` Ludovic Courtès 2014-04-01 22:01 ` Ludovic Courtès 2014-04-03 17:21 ` Andreas Enge 2014-04-03 19:48 ` Ludovic Courtès 2014-04-03 20:45 ` Andreas Enge
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.