From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id +EvXOQjmgl+HZAAA0tVLHw (envelope-from ) for ; Sun, 11 Oct 2020 11:01:28 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id qJiYNQjmgl+4dAAAbx9fmQ (envelope-from ) for ; Sun, 11 Oct 2020 11:01:28 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A7E5A9404D5 for ; Sun, 11 Oct 2020 11:01:28 +0000 (UTC) Received: from localhost ([::1]:54592 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kRZ6V-00007K-HD for larch@yhetil.org; Sun, 11 Oct 2020 07:01:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33188) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kRZ66-0008UY-Ry for bug-guix@gnu.org; Sun, 11 Oct 2020 07:01:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:55941) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kRZ66-00074V-0l for bug-guix@gnu.org; Sun, 11 Oct 2020 07:01:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kRZ65-00008T-Vg for bug-guix@gnu.org; Sun, 11 Oct 2020 07:01:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#39819: Declarative /etc/guix/acl? Resent-From: Efraim Flashner Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sun, 11 Oct 2020 11:01:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 39819 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 39819-submit@debbugs.gnu.org id=B39819.1602414053486 (code B ref 39819); Sun, 11 Oct 2020 11:01:01 +0000 Received: (at 39819) by debbugs.gnu.org; 11 Oct 2020 11:00:53 +0000 Received: from localhost ([127.0.0.1]:39250 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kRZ5w-00007m-Lx for submit@debbugs.gnu.org; Sun, 11 Oct 2020 07:00:52 -0400 Received: from flashner.co.il ([178.62.234.194]:46588) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kRZ5v-00007Z-2C for 39819@debbugs.gnu.org; Sun, 11 Oct 2020 07:00:51 -0400 Received: from localhost (unknown [141.226.15.20]) by flashner.co.il (Postfix) with ESMTPSA id 3B538401E5; Sun, 11 Oct 2020 11:00:45 +0000 (UTC) Date: Sun, 11 Oct 2020 14:00:12 +0300 From: Efraim Flashner Message-ID: <20201011110012.GD1301@E5400> References: <87tv3bl4eu.fsf@apteryx.i-did-not-set--mail-host-address--so-tickle-me> <87v9fhf3my.fsf@inria.fr> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="5p8PegU4iirBW1oA" Content-Disposition: inline In-Reply-To: <87v9fhf3my.fsf@inria.fr> X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.0 (-) X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org, 39819@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Spam-Score: -0.11 X-TUID: ZnTg44zvdxAV --5p8PegU4iirBW1oA Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 11, 2020 at 12:39:17PM +0200, Ludovic Court=C3=A8s wrote: > Hi! >=20 > For some reason, /etc/guix/acl is not declarative on Guix System: we let > users modify it and assume it=E2=80=99s stateful, which can surprise user= s as in > . >=20 > Should we make it declarative, just like most of /etc? I think so. For > a build farm like berlin, it would force admins to explicitly list all > the authorized keys in their config=E2=80=94annoying change, but not a bad > thing. >=20 > WDYT? I've been surprised by it at least once. (That it was more than once is on me...) > The problem is the transition. We would need to at least create a > backup of /etc/guix/acl on the next activation, or better yet, warn > users or error out at reconfigure time. >=20 > Thoughts? >=20 > Ludo=E2=80=99. >=20 activation script: (when (file-exists? "/etc/guix/acl") (rename-file "/etc/guix/acl" "/etc/guix/acl-old")) --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --5p8PegU4iirBW1oA Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAl+C5bwACgkQQarn3Mo9 g1EBjg/9HWxbP7R8gUQKf4djzZcygec+64uIFMjUZIcBbjnA2OiSM4rftuSI532h C5p8TtqMpl10z0FCzu3veDYmFMrsvVNCMC/RDd07jO6uaYJe5IdspzA6Z7C9RJgx tnyWioMKDU8xqB93fnQKntkXE4JtmQcDu1An6mI98UC0lYgFQ7RXsJbeRjDu97EJ sEruDh7caxrZgnHWtzpUXxjgk55AODbKiNRoH6NEIHmaUI3rMv9/LgBQqT+HZj7x qPiKJGS5zaIubIpBcrOUkbXFq0rs5uKQT3J3y0VjGlK2gI1XW1CyfAMugxEnZrTi YSmEHaHkmhTGbU8bOaJy+g75hsWXe/QSVfXxXr5ZEVhTuuBRx3CJsXnUZDj33yDI 77PHMQYINk51Ffb+AMQsMHt7DULuU2cVOT1G2KilrBtFPYHFdDnXvpnUdw96wkeB SWs9pwaM5Kl9ygdHTfx4R7LAR65ImOBOMoLJyRbGkf9vk1dhAIVZdt2iKVfXRQlF 5PuUjw09wIJ/LPJX50gft0zvsip2TWLZq3xLyJrw/n0nmmd1c9Cq846wl30UeYlc sf6P2zJesB7xpo1nrXxtRRddlKWhUUwNr6EXv0fGa3ozVhbl4DFx+zTQjQHGtxmJ wEktNgohVbQulDroTVl2rb9mo6nTeE6mZaK+TKmDNfG10Y2ovvk= =lHOw -----END PGP SIGNATURE----- --5p8PegU4iirBW1oA--