all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Efraim Flashner <efraim@flashner.co.il>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel@gnu.org, 39819@debbugs.gnu.org
Subject: bug#39819: Declarative /etc/guix/acl?
Date: Sun, 11 Oct 2020 14:00:12 +0300	[thread overview]
Message-ID: <20201011110012.GD1301@E5400> (raw)
In-Reply-To: <87v9fhf3my.fsf@inria.fr>

[-- Attachment #1: Type: text/plain, Size: 1210 bytes --]

On Sun, Oct 11, 2020 at 12:39:17PM +0200, Ludovic Courtès wrote:
> Hi!
> 
> For some reason, /etc/guix/acl is not declarative on Guix System: we let
> users modify it and assume it’s stateful, which can surprise users as in
> <https://issues.guix.gnu.org/39819>.
> 
> Should we make it declarative, just like most of /etc?  I think so.  For
> a build farm like berlin, it would force admins to explicitly list all
> the authorized keys in their config—annoying change, but not a bad
> thing.
> 
> WDYT?

I've been surprised by it at least once. (That it was more than once is
on me...)

> The problem is the transition.  We would need to at least create a
> backup of /etc/guix/acl on the next activation, or better yet, warn
> users or error out at reconfigure time.
> 
> Thoughts?
> 
> Ludo’.
> 

activation script: (when (file-exists? "/etc/guix/acl")
                     (rename-file "/etc/guix/acl"
                                  "/etc/guix/acl-old"))

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

  reply	other threads:[~2020-10-11 11:01 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-28  4:30 bug#39819: guix-service-type authorized keys are not honored when /etc/guix/acl exists Maxim Cournoyer
2020-02-28  4:32 ` Maxim Cournoyer
2020-10-11 10:39 ` Declarative /etc/guix/acl? Ludovic Courtès
2020-10-11 11:00   ` Efraim Flashner [this message]
2020-10-11 11:07   ` Jan Nieuwenhuizen
2020-10-12 12:53     ` bug#39819: " Ludovic Courtès
2020-10-12 20:26       ` Jan Nieuwenhuizen
2020-10-21 15:08   ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Ludovic Courtès
2020-10-21 15:08     ` bug#39819: [PATCH 2/2] doc: Add "Getting Substitutes from Other Servers" section Ludovic Courtès
2020-10-21 16:06     ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Vagrant Cascadian
2020-10-24 23:08     ` bug#39819: " Ludovic Courtès
2020-10-25  5:59       ` Jan Nieuwenhuizen
2020-10-24 23:11     ` Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201011110012.GD1301@E5400 \
    --to=efraim@flashner.co.il \
    --cc=39819@debbugs.gnu.org \
    --cc=guix-devel@gnu.org \
    --cc=ludo@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.