From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id eP00D+kKZmWrXwAAauVa8A:P1 (envelope-from ) for ; Tue, 28 Nov 2023 16:44:41 +0100 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id eP00D+kKZmWrXwAAauVa8A (envelope-from ) for ; Tue, 28 Nov 2023 16:44:41 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0D621252F3 for ; Tue, 28 Nov 2023 16:44:41 +0100 (CET) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=Du+Shy8+; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1701186281; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=ITBcPpgkD+5KoF6/FY+d1dIVj5AtvbX9sVCIHLhlbIM=; b=n3R89RCgdp4o4Rxk0WIY41I/Oxpxe/gReNnS4UPRpwF8ZRYG7s2TB0Fd3cdCxSVygxIpD0 zr+dKl7uVL4l6v8Z7E3sm88qU4u+y8ok9zCEktqK7Ru0maufUEWjQdDPj+EEci8ME4LhPb lV4Q984b1628goM8mR5RpT7fmw4fnIAmRlRzyalU1zhuxZDSVw9dDd5EtCrqKplU+U9vnE liwvMRkR8WmN9rdvqQIN4dwQONMCLMNJnGa2diuUszNVyc6PsN0RlP9jLALB/sUtUjoFxC DCq/MCgozPZgzfumLgOboo89Pf+CU0wdtTfc+2W/mMFhvgEhc7JjXSclH6MfFQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=Du+Shy8+; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1701186281; a=rsa-sha256; cv=none; b=LyGUcHJ7i8/ltGd02NSee2y8mGKjp0HAAFdCZxOlaIu3IZxNdxxmzWZKpClR833vemjIMZ +01n2qY7dhCcxUAVvGUIAfFS/3TC818HPQnFn6ohxFF75I7DGpxtrjyLy/m6obrfOzhzYL 9ojwrJV3jVW0k3yyHZfql+G9NvTcDUiOxxfz0pvlA5enABcRHs0nluLO+jfOETRLuUVbU2 7RNl//L3ZD9DJwvB1e3lSdxA5kAUovtkrKG5K33zX+la+Dg/hIXgFUOBpbIkjG2vUrWwss Bb37p6fViaVGdSdiigWkDHv4ruN6f0xyOQq05aZNgtOTOnYwp83DpWdEX+75wQ== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1r80Fi-00037n-VI; Tue, 28 Nov 2023 10:43:58 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1r80Fh-0002zr-DF for guix-patches@gnu.org; Tue, 28 Nov 2023 10:43:57 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1r80Fh-0006HG-2u for guix-patches@gnu.org; Tue, 28 Nov 2023 10:43:57 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1r80Fn-0001ce-Tw for guix-patches@gnu.org; Tue, 28 Nov 2023 10:44:03 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#67072] [PATCH 4/4] weather: Report unauthorized substitute servers. Resent-From: Simon Tournier Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 28 Nov 2023 15:44:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 67072 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= , 67072@debbugs.gnu.org Cc: Josselin Poiret , Mathieu Othacehe , Ludovic =?UTF-8?Q?Court=C3=A8s?= , Tobias Geerinckx-Rice , Ricardo Wurmus , Christopher Baines Received: via spool by 67072-submit@debbugs.gnu.org id=B67072.17011861916101 (code B ref 67072); Tue, 28 Nov 2023 15:44:03 +0000 Received: (at 67072) by debbugs.gnu.org; 28 Nov 2023 15:43:11 +0000 Received: from localhost ([127.0.0.1]:47456 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r80Ew-0001aE-Hx for submit@debbugs.gnu.org; Tue, 28 Nov 2023 10:43:10 -0500 Received: from mail-wm1-x336.google.com ([2a00:1450:4864:20::336]:38935) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r80Er-0001Z0-71 for 67072@debbugs.gnu.org; Tue, 28 Nov 2023 10:43:08 -0500 Received: by mail-wm1-x336.google.com with SMTP id 5b1f17b1804b1-40b36e721fcso2171815e9.0 for <67072@debbugs.gnu.org>; Tue, 28 Nov 2023 07:42:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701186172; x=1701790972; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ITBcPpgkD+5KoF6/FY+d1dIVj5AtvbX9sVCIHLhlbIM=; b=Du+Shy8+FU9wsaDjx9fnkseMNDtbVW0Hnii/wquYD4pZI5q+D2bQzeFnvBDR6Rzs7y 28QUKek+tsALLTp227qf0Mt0qnIhY2AKGuc86Vlm5TXMl2zOJEm/pl8NGNW9vDR6p21F lylBYLuoVTIsw0nLl/Ctl+M1JHDWfnANiUkIASO8tY/E3jIhG68TTQaPuOvpKiXN2399 yNweSWGNfvXxT87pCSXw/Mp9HmURtEl7hc2og6EbeZQMxMUaI79Jx4029lj9UFV1SU6O N0NQXW2L/CIXGdZ2q7nP7h9v4FKmz73IOPn5uaWyvDXkgwEf1TcyKgQ14LXKdvHxLs9A eDbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701186172; x=1701790972; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ITBcPpgkD+5KoF6/FY+d1dIVj5AtvbX9sVCIHLhlbIM=; b=aaFMm2GlINk8n1Fq0W/bg7L0KQ3lBWctsumUImHU4Jirwglo8KAqPNHD6JVOSU8ove 85vtck7hagrvDcAtUY3AkUhFwa1hK0w458MKTFRhk8QrFJro0EvZWUuFrLWGTwEBl9Uc j6VYtvDgHqBlwiZNQ/vrXVbPwR6/hF9fHCFpzTIhzP+4CtgD4e9C6Ayye5xiEOGjvL8m brkX8D178gXVFsLfDvUml84GPzNHUEMkwfKwf7fLpl3M2h2qpS0FQ7xJswvMhYjWa03Y XtGp0zstSaugariTpzt35F6a3IBitCkwevlI/QU9o9HhpmZAjQrfgarWl13auEozeBFZ pppg== X-Gm-Message-State: AOJu0YwfAFKrvQSCt1/nTOLvVDcA5AVAvq5ZiytPmUfQMg6uffg7s4Dq vjmeSAkbqwylYaeuGpGdMAQ= X-Google-Smtp-Source: AGHT+IEgXbjg1hEcS443pIUVn1Gz3clGHglbm+yLAdtBKJN0AGQLzqUcD0h3pLmn91E+ZDZr6OVvpg== X-Received: by 2002:a05:600c:5118:b0:40b:2971:4b73 with SMTP id o24-20020a05600c511800b0040b29714b73mr10688901wms.2.1701186172234; Tue, 28 Nov 2023 07:42:52 -0800 (PST) Received: from pfiuh07 ([193.48.40.241]) by smtp.gmail.com with ESMTPSA id iv10-20020a05600c548a00b0040b4c7e1a65sm2630556wmb.13.2023.11.28.07.42.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 07:42:51 -0800 (PST) From: Simon Tournier In-Reply-To: References: Date: Tue, 28 Nov 2023 14:14:23 +0100 Message-ID: <87jzq2aukw.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: 2.86 X-Spam-Score: 2.86 X-Migadu-Queue-Id: 0D621252F3 X-Migadu-Scanner: mx12.migadu.com X-TUID: /KkuPfFdw9aD Hi, On Sat, 11 Nov 2023 at 12:06, Ludovic Court=C3=A8s wrote: > + #:use-module (guix pki) Looking at what it drags, I notice: --8<---------------cut here---------------start------------->8--- (define* (authorized-key? key #:optional (acl (current-acl))) "Return #t if KEY (a canonical sexp) is an authorized public key for arch= ive imports according to ACL." ;; Note: ACL is kept in native sexp form to make 'authorized-key?' faster, ;; by not having to convert it with 'canonical-sexp->sexp' on each call. ;; TODO: We could use a better data type for ACLs. (let ((key (canonical-sexp->sexp key))) (match acl (('acl ('entry subject-keys ('tag ('guix 'import))) ...) (not (not (member key subject-keys)))) (_ (error "invalid access-control list" acl))))) --8<---------------cut here---------------end--------------->8--- I know it is irrelevant with the patch at hand. Maybe not. :-) 1. Why this =E2=80=99(not (not=E2=80=99 ? 2. When testing the patch, I have not done --sysconfdir=3D/etc and it was not able to find the correct ACL. Somehow=E2=80=A6 > +(define (check-narinfo-authorization narinfo) > + "Print a warning when NARINFO is not signed by an authorized key." > + (unless (valid-narinfo? narinfo) =E2=80=A6I entered in this part =E2=80=93 hence the look up (guix pki) ;-).= Well, my mistake is hard to reproduce outside of Guix development tree but =E2=80=99valid-narinfo?=E2=80=99 returns false for more cases than just unauthorized-key. Therefore, the hint could be misleading. Since we are discussing about an helper, I would run =E2=80=99signature-cas= e=E2=80=99 here in check-narinfo. For example, if the case is 'unauthorized-key, then I would check is %acl-file exists. Maybe display the full %acl-file explaining that the key is not in, etc. Moreover, running =E2=80=9Cguix challenge coreutils=E2=80=9D does not warn = about anything; when I was expected the same warning as =E2=80=9Cguix weather=E2= =80=9D. Last, once sysconfig fixed, I get: --8<---------------cut here---------------start------------->8--- guix weather: warning: could not determine current substitute URLs; using d= efaults computing 1 package derivations for x86_64-linux... looking for 2 store items on https://ci.guix.gnu.org... guix weather: error: open-file: Permission denied: "/etc/guix/acl" --8<---------------cut here---------------end--------------->8--- Hum? Maybe I am doing something wrong=E2=80=A6 The file /etc/guix/acl has = the permission: -rw------- 1 root root 528 acl Is it incorrect? Well, if all are allowed to read (chmod a+r) then there is not error. And it displays the warning: --8<---------------cut here---------------start------------->8--- guix weather: warning: could not determine current substitute URLs; using d= efaults --8<---------------cut here---------------end--------------->8--- And that=E2=80=99s because the daemon is not supporting the operation. This warning appears to me misleading: personally I think that I am misconfigured something when that=E2=80=99s not the case. Instead, I would display: warning: using defaults substitute URLs Cheers, simon