From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id wAAXHuTggl+mPwAA0tVLHw (envelope-from ) for ; Sun, 11 Oct 2020 10:39:32 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id SIEIGuTggl/+PgAA1q6Kng (envelope-from ) for ; Sun, 11 Oct 2020 10:39:32 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 44753940105 for ; Sun, 11 Oct 2020 10:39:32 +0000 (UTC) Received: from localhost ([::1]:48876 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kRYlH-0004TM-86 for larch@yhetil.org; Sun, 11 Oct 2020 06:39:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59190) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kRYl5-0004TD-Jv for guix-devel@gnu.org; Sun, 11 Oct 2020 06:39:19 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:50480) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kRYl5-0004lP-AM; Sun, 11 Oct 2020 06:39:19 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=50636 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kRYl4-0001JH-Qj; Sun, 11 Oct 2020 06:39:19 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Subject: Declarative /etc/guix/acl? X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 20 =?utf-8?Q?Vend=C3=A9miaire?= an 229 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Sun, 11 Oct 2020 12:39:17 +0200 Message-ID: <87v9fhf3my.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 39819@debbugs.gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: 0.99 X-TUID: WC11S4dBqxvV Hi! For some reason, /etc/guix/acl is not declarative on Guix System: we let users modify it and assume it=E2=80=99s stateful, which can surprise users = as in . Should we make it declarative, just like most of /etc? I think so. For a build farm like berlin, it would force admins to explicitly list all the authorized keys in their config=E2=80=94annoying change, but not a bad thing. WDYT? The problem is the transition. We would need to at least create a backup of /etc/guix/acl on the next activation, or better yet, warn users or error out at reconfigure time. Thoughts? Ludo=E2=80=99.