From: Nikita Karetnikov <nikita@karetnikov.org>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: bug-guix@gnu.org
Subject: Re: [PATCH] guix refresh: Add '--key-download'.
Date: Sat, 08 Jun 2013 15:19:05 +0400 [thread overview]
Message-ID: <87obbg3l5i.fsf_-_@karetnikov.org> (raw)
In-Reply-To: <87ppvxgavg.fsf@gnu.org> ("Ludovic Courtès"'s message of "Fri, 07 Jun 2013 18:19:39 +0200")
[-- Attachment #1.1: Type: text/plain, Size: 637 bytes --]
> It just occurred to me that it might be more intuitive to use one of
> 'interactive
> #f ; never download
> _ ; (any other value) always download
IMO, an attached version is better because we use high-level terms:
interactive, never, and always.
> Modulo these details, it seems ready to get it.
Can I push the attached version?
What should I do next? For instance, I can change 'guix refresh' to
fetch signatures first and don't download tarballs that can't be
authenticated (when signatures are missing and 'never' is used). Or I
can fix it not to mix version numbers (not to update Guile 1.8.8 to
version 2.0.9).
[-- Attachment #1.2: 0001-guix-refresh-Add-key-download.patch --]
[-- Type: text/x-diff, Size: 12858 bytes --]
From 911bd9c696b3104ac41f37dc0d2cf3741801d1d2 Mon Sep 17 00:00:00 2001
From: Nikita Karetnikov <nikita@karetnikov.org>
Date: Sat, 8 Jun 2013 10:35:11 +0000
Subject: [PATCH] guix refresh: Add '--key-download'.
* guix/gnu-maintenance.scm (download-tarball): Add a 'key-download'
keyword argument and pass it to 'gnupg-verify*'. Make
'archive-type' a keyword argument.
(package-update): Add a 'key-download' keyword argument. Pass
'archive-type' and 'key-download' keyword arguments to
'download-tarball'.
* guix/gnupg.scm: Import (ice-9 i18n) and (guix ui).
(gnupg-verify*): Add a 'key-download' keyword argument and adjust
'gnupg-verify*' to use it. Make 'server' a keyword argument.
* guix/scripts/refresh.scm (show-help, %options): Add and document
'--key-download'.
(update-package): Add a 'key-download' keyword argument and pass it
to 'package-update'.
(guix-refresh): Pass 'key-download' to 'update-package'. Limit
lines to a maximum of 79 characters.
---
guix/gnu-maintenance.scm | 18 +++++++---
guix/gnupg.scm | 36 +++++++++++++++++---
guix/scripts/refresh.scm | 79 +++++++++++++++++++++++++++++-----------------
3 files changed, 92 insertions(+), 41 deletions(-)
diff --git a/guix/gnu-maintenance.scm b/guix/gnu-maintenance.scm
index b54cd84..ed446c4 100644
--- a/guix/gnu-maintenance.scm
+++ b/guix/gnu-maintenance.scm
@@ -341,16 +341,19 @@ pairs. Example: (\"mit-scheme-9.0.1\" . \"/gnu/mit-scheme/stable.pkg/9.0.1\").
(_ #f))))
(define* (download-tarball store project directory version
- #:optional (archive-type "gz"))
+ #:key (archive-type "gz")
+ (key-download 'interactive))
"Download PROJECT's tarball over FTP and check its OpenPGP signature. On
-success, return the tarball file name."
+success, return the tarball file name. KEY-DOWNLOAD specifies a download
+policy for missing OpenPGP keys; allowed values: INTERACTIVE (default),
+ALWAYS, and NEVER."
(let* ((server (ftp-server/directory project))
(base (string-append project "-" version ".tar." archive-type))
(url (string-append "ftp://" server "/" directory "/" base))
(sig-url (string-append url ".sig"))
(tarball (download-to-store store url))
(sig (download-to-store store sig-url)))
- (let ((ret (gnupg-verify* sig tarball)))
+ (let ((ret (gnupg-verify* sig tarball #:key-download key-download)))
(if ret
tarball
(begin
@@ -359,9 +362,11 @@ success, return the tarball file name."
(warning (_ "(could be because the public key is not in your keyring)~%"))
#f)))))
-(define (package-update store package)
+(define* (package-update store package #:key (key-download 'interactive))
"Return the new version and the file name of the new version tarball for
-PACKAGE, or #f and #f when PACKAGE is up-to-date."
+PACKAGE, or #f and #f when PACKAGE is up-to-date. KEY-DOWNLOAD specifies a
+download policy for missing OpenPGP keys; allowed values: ALWAYS, NEVER, and
+INTERACTIVE (default)."
(match (package-update-path package)
((version . directory)
(let-values (((name)
@@ -372,7 +377,8 @@ PACKAGE, or #f and #f when PACKAGE is up-to-date."
(file-extension (origin-uri source)))
"gz"))))
(let ((tarball (download-tarball store name directory version
- archive-type)))
+ #:archive-type archive-type
+ #:key-download key-download)))
(values version tarball))))
(_
(values #f #f))))
diff --git a/guix/gnupg.scm b/guix/gnupg.scm
index c17a495..40dc864 100644
--- a/guix/gnupg.scm
+++ b/guix/gnupg.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2010, 2011, 2013 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -21,7 +22,9 @@
#:use-module (ice-9 match)
#:use-module (ice-9 regex)
#:use-module (ice-9 rdelim)
+ #:use-module (ice-9 i18n)
#:use-module (srfi srfi-1)
+ #:use-module (guix ui)
#:export (%gpg-command
%openpgp-key-server
gnupg-verify
@@ -145,16 +148,37 @@ missing key."
(define (gnupg-receive-keys key-id server)
(system* (%gpg-command) "--keyserver" server "--recv-keys" key-id))
-(define* (gnupg-verify* sig file #:optional (server (%openpgp-key-server)))
+(define* (gnupg-verify* sig file
+ #:key (key-download 'interactive)
+ (server (%openpgp-key-server)))
"Like `gnupg-verify', but try downloading the public key if it's missing.
-Return #t if the signature was good, #f otherwise."
+Return #t if the signature was good, #f otherwise. KEY-DOWNLOAD specifies a
+download policy for missing OpenPGP keys; allowed values: ALWAYS, NEVER, and
+INTERACTIVE (default)."
(let ((status (gnupg-verify sig file)))
(or (gnupg-status-good-signature? status)
(let ((missing (gnupg-status-missing-key? status)))
+ (define (download-and-try-again)
+ ;; Download the missing key and try again.
+ (begin
+ (gnupg-receive-keys missing server)
+ (gnupg-status-good-signature? (gnupg-verify sig file))))
+
+ (define (receive?)
+ (let ((answer
+ (_ (begin (format #t "~a~a~%"
+ "Would you like to download this key "
+ "and add it to your keyring?")
+ (read-line)))))
+ (string-match (locale-yes-regexp) answer)))
+
(and missing
- (begin
- ;; Download the missing key and try again.
- (gnupg-receive-keys missing server)
- (gnupg-status-good-signature? (gnupg-verify sig file))))))))
+ (case key-download
+ ((never) #f)
+ ((always)
+ (download-and-try-again))
+ (else
+ (and (receive?)
+ (download-and-try-again)))))))))
;;; gnupg.scm ends here
diff --git a/guix/scripts/refresh.scm b/guix/scripts/refresh.scm
index 10715eb..e7eb578 100644
--- a/guix/scripts/refresh.scm
+++ b/guix/scripts/refresh.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -64,6 +65,15 @@
(option '("gpg") #t #f
(lambda (opt name arg result)
(alist-cons 'gpg-command arg result)))
+ (option '("key-download") #t #f
+ (lambda (opt name arg result)
+ (match arg
+ ((or "interactive" "always" "never")
+ (alist-cons 'key-download (string->symbol arg)
+ result))
+ (_
+ (leave (_ "unsupported policy: ~a~%")
+ arg)))))
(option '(#\h "help") #f #f
(lambda args
@@ -90,6 +100,11 @@ specified with `--select'.\n"))
--key-server=HOST use HOST as the OpenPGP key server"))
(display (_ "
--gpg=COMMAND use COMMAND as the GnuPG 2.x command"))
+ (display (_ "
+ --key-download=POLICY
+ handle missing OpenPGP keys according to POLICY:
+ 'always', 'never', and 'interactive', which is also
+ used when 'key-download' is not specified"))
(newline)
(display (_ "
-h, --help display this help and exit"))
@@ -98,12 +113,14 @@ specified with `--select'.\n"))
(newline)
(show-bug-report-information))
-(define (update-package store package)
- "Update the source file that defines PACKAGE with the new version."
+(define* (update-package store package #:key (key-download 'interactive))
+ "Update the source file that defines PACKAGE with the new version.
+KEY-DOWNLOAD specifies a download policy for missing OpenPGP keys; allowed
+values: INTERACTIVE (default), ALWAYS, and NEVER."
(let-values (((version tarball)
(catch #t
(lambda ()
- (package-update store package))
+ (package-update store package #:key-download key-download))
(lambda _
(values #f #f))))
((loc)
@@ -161,31 +178,33 @@ update would trigger a complete rebuild."
;; XXX: Fails to catch MPFR/MPC, whose *source* is used as input.
(member (package-name package) names))))
- (let* ((opts (parse-options))
- (update? (assoc-ref opts 'update?))
- (packages (match (concatenate
- (filter-map (match-lambda
- (('argument . value)
- (let ((p (find-packages-by-name value)))
- (unless p
- (leave (_ "~a: no package by that name")
- value))
- p))
- (_ #f))
- opts))
- (() ; default to all packages
- (let ((select? (match (assoc-ref opts 'select)
- ('core core-package?)
- ('non-core (negate core-package?))
- (_ (const #t)))))
- ;; TODO: Keep only the newest of each package.
- (fold-packages (lambda (package result)
- (if (select? package)
- (cons package result)
- result))
- '())))
- (some ; user-specified packages
- some))))
+ (let* ((opts (parse-options))
+ (update? (assoc-ref opts 'update?))
+ (key-download (assoc-ref opts 'key-download))
+ (packages
+ (match (concatenate
+ (filter-map (match-lambda
+ (('argument . value)
+ (let ((p (find-packages-by-name value)))
+ (unless p
+ (leave (_ "~a: no package by that name")
+ value))
+ p))
+ (_ #f))
+ opts))
+ (() ; default to all packages
+ (let ((select? (match (assoc-ref opts 'select)
+ ('core core-package?)
+ ('non-core (negate core-package?))
+ (_ (const #t)))))
+ ;; TODO: Keep only the newest of each package.
+ (fold-packages (lambda (package result)
+ (if (select? package)
+ (cons package result)
+ result))
+ '())))
+ (some ; user-specified packages
+ some))))
(with-error-handling
(if update?
(let ((store (open-connection)))
@@ -195,7 +214,9 @@ update would trigger a complete rebuild."
(%gpg-command
(or (assoc-ref opts 'gpg-command)
(%gpg-command))))
- (for-each (cut update-package store <>) packages)))
+ (for-each
+ (cut update-package store <> #:key-download key-download)
+ packages)))
(for-each (lambda (package)
(match (false-if-exception (package-update-path package))
((new-version . directory)
--
1.7.5.4
[-- Attachment #2: Type: application/pgp-signature, Size: 835 bytes --]
next prev parent reply other threads:[~2013-06-08 11:16 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-24 22:24 New “guix refresh” command Ludovic Courtès
2013-04-25 21:27 ` Ludovic Courtès
2013-04-26 16:16 ` Andreas Enge
2013-04-27 9:43 ` Ludovic Courtès
2013-04-27 10:11 ` Andreas Enge
2013-04-27 21:04 ` Ludovic Courtès
2013-04-27 21:14 ` Andreas Enge
2013-04-27 22:35 ` Ludovic Courtès
2013-04-29 21:27 ` Ludovic Courtès
2013-04-30 15:54 ` Andreas Enge
2013-05-07 19:03 ` Nikita Karetnikov
2013-05-07 22:21 ` Ludovic Courtès
2013-05-10 0:29 ` Nikita Karetnikov
2013-05-10 13:11 ` Ludovic Courtès
2013-05-10 22:54 ` Nikita Karetnikov
2013-05-11 10:10 ` Ludovic Courtès
2013-05-11 14:05 ` Nikita Karetnikov
2013-05-24 10:19 ` Nikita Karetnikov
2013-05-24 12:54 ` Ludovic Courtès
2013-05-30 0:46 ` Nikita Karetnikov
2013-06-01 15:55 ` Ludovic Courtès
2013-06-02 22:29 ` Ludovic Courtès
2013-06-07 5:26 ` [PATCH] guix refresh: Add '--key-download' Nikita Karetnikov
2013-06-07 16:19 ` Ludovic Courtès
2013-06-08 11:19 ` Nikita Karetnikov [this message]
2013-06-08 14:48 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87obbg3l5i.fsf_-_@karetnikov.org \
--to=nikita@karetnikov.org \
--cc=bug-guix@gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.