From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id mFsOHNwy2V9RfQAA0tVLHw (envelope-from ) for ; Tue, 15 Dec 2020 22:04:12 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id AEjhF9wy2V8BZAAA1q6Kng (envelope-from ) for ; Tue, 15 Dec 2020 22:04:12 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0CBAE9404FF for ; Tue, 15 Dec 2020 22:04:12 +0000 (UTC) Received: from localhost ([::1]:58738 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kpIQU-0001yW-W2 for larch@yhetil.org; Tue, 15 Dec 2020 17:04:11 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:46826) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kpIQM-0001vL-Bg for guix-patches@gnu.org; Tue, 15 Dec 2020 17:04:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:47853) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kpIQM-0005q2-4S for guix-patches@gnu.org; Tue, 15 Dec 2020 17:04:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kpIQM-00023u-0r for guix-patches@gnu.org; Tue, 15 Dec 2020 17:04:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#45104] pull: Add a "with-substitutes" option. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 15 Dec 2020 22:04:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45104 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Mathieu Othacehe Received: via spool by 45104-submit@debbugs.gnu.org id=B45104.16080698407919 (code B ref 45104); Tue, 15 Dec 2020 22:04:01 +0000 Received: (at 45104) by debbugs.gnu.org; 15 Dec 2020 22:04:00 +0000 Received: from localhost ([127.0.0.1]:59399 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kpIQG-00023b-Oc for submit@debbugs.gnu.org; Tue, 15 Dec 2020 17:04:00 -0500 Received: from eggs.gnu.org ([209.51.188.92]:53594) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kpIQF-00023O-UZ for 45104@debbugs.gnu.org; Tue, 15 Dec 2020 17:03:56 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:36064) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kpIQA-0005mN-Nx; Tue, 15 Dec 2020 17:03:50 -0500 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=36818 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kpIQ7-0005iK-DN; Tue, 15 Dec 2020 17:03:48 -0500 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87eek1vd4g.fsf@gnu.org> <87a6uohztw.fsf@cbaines.net> <877dpktzot.fsf@gnu.org> <878s9zfjt4.fsf@gnu.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 25 Frimaire an 229 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 15 Dec 2020 23:03:45 +0100 In-Reply-To: <878s9zfjt4.fsf@gnu.org> (Mathieu Othacehe's message of "Tue, 15 Dec 2020 11:24:55 +0100") Message-ID: <875z52loam.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 45104@debbugs.gnu.org Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -2.81 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 0CBAE9404FF X-Spam-Score: -2.81 X-Migadu-Scanner: scn0.migadu.com X-TUID: PDnHybi5yvdq Hi, Mathieu Othacehe skribis: >> (and (evaluation-complete? evaluation) >> (string=3D? "guix-modular-master" >> (evaluation-spec >> evaluation)))) > > On Berlin, evaluations can be completed for days, but the associated > builds never started. I think that searching directly for a completed > build provides a stronger guarantee of available substitutes. Yes, something like you proposed probably makes more sense. My point is just that we could make the procedure available as part of the API and document it as something people can use in their channels file. >> ;; Pull the latest commit fully built on berlin.guixsd.org. >> (list (channel >> (name 'guix) >> (url "https://git.savannah.gnu.org/git/guix.git") >> (commit (pk 'commit (latest-commit-successfully-built))))) > > Providing such a procedure definitely makes sense though. > >> (channel-with-substitutes-available >> (channel (name 'guix) =E2=80=A6) >> "https://ci.guix.gnu.org" >> (specifications->manifest '("emacs" "guile"))) > > Yes it would be the ultimate thing! However, while finding the latest > commit with an available substitute for a derivation is quite easy, > finding a commit with available derivations for N derivations seems way > more difficult. Right! >> It does mean that we=E2=80=99re asking users to do extra work. Perhaps = there >> could still be a command-line option that would call >> =E2=80=98channel-with-substitutes-available=E2=80=99 for you, but at lea= st it would take >> an explicit URL and clarify what Chris mentioned? > > Yes, the user would then have to provide the channels that need > available substitutes, the URL to use for the substitution check and > maybe a manifest that also needs available substitutes. > > The channels list could default to '("guix") and the URL to > "https://ci.guix.gnu.org" as it would be a sensible default for most > Guix users I think. Yes, choosing good defaults can make it less intimidating. >> BTW, doing all this is safer today because =E2=80=98guix pull=E2=80=99 w= ill detect and >> prevent downgrades. Though an attacker who manages to break into >> ci.guix.gnu.org could cause all the users of >> =E2=80=98channel-with-substitutes-available=E2=80=99 to no longer receiv= e updates or to >> receive them more slowly than they appear in Git simply by making CI >> even slower than it currently is. > > Yes, the downgrade check definitely helps here, as it's often what will > happen with our lagging CI. Regarding the security aspect, I think that > breaking into ci.guix.gnu.org can have other way more impacting > consequences. Yeah, though here we=E2=80=99re opening a new vulnerability channel, indepe= ndent of substitutes. It changes the threat model. Thanks, Ludo=E2=80=99.