Disabling authentication checks for tests in local Guix checkouts

Disabling authentication checks for tests in local Guix checkouts

[Ada Stevenson]

Hi Guix,

I'm currently trying to help test the changes to GRUB submitted in issue 
#71348[1]. Unfortunately, `make check`, whilst building the local Guix 
channel, authenticates every commit. That means commits not signed by 
people in `guix-authorizations` will stop the channel from building and 
prevents running any of the tests.

I have tried to fix the issue by writing a patch:
-----
diff --git a/etc/system-tests.scm b/etc/system-tests.scm
index 221a63bb7f..6655850396 100644
--- a/etc/system-tests.scm
+++ b/etc/system-tests.scm
@@ -49,7 +49,7 @@ (define (tests-for-current-guix source commit)
    ;; of tests to run in the usual way:
    ;;
    ;;   make check-system TESTS=installed-os
-  (let ((guix (channel-source->package source #:commit commit)))
+  (let ((guix (channel-source->package source #:commit commit 
#:authenticate? #f)))
      (map (lambda (test)
             (system-test
              (inherit test)
diff --git a/gnu/packages/package-management.scm 
b/gnu/packages/package-management.scm
index 54521ab3c4..46d66604c7 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -563,7 +563,7 @@ (define-public guix
  the Nix package manager.")
        (license license:gpl3+))))

-(define* (channel-source->package source #:key commit)
+(define* (channel-source->package source #:key commit (authenticate? #t))
    "Return a package for the given channel SOURCE, a lowerable object."
    (package
      (inherit guix)
@@ -571,7 +571,8 @@ (define* (channel-source->package source #:key commit)
                              (if commit (string-take commit 7) "")))
      (build-system channel-build-system)
      (arguments `(#:source ,source
-                 #:commit ,commit))
+                 #:commit ,commit
+                 #:authenticate? ,authenticate?))
      (inputs '())
      (native-inputs '())
      (propagated-inputs '())))
-----

Initially this seems like it works, as it starts to index all of the 
commits in the local checkout, which didn't occur beforehand, instead 
immediately giving a `Git error: cannot locate remote-tracking branch 
'origin/keyring'` (I've run `git fetch -a`, and my Savannah remote is 
called `origin`).

I'm not sure where this second building of the channel is occurring; the 
channel-build-system is being passed the `authenticate? #f` flag, so I'm 
at a loss.

I'd really appreciate any input or help!

Warmly,
Ada

[1] https://issues.guix.gnu.org/issue/71348

Re: Disabling authentication checks for tests in local Guix checkouts

[Ludovic Courtès]

Hi Ada,

Ada Stevenson <adanskana@gmail.com> skribis:

> I'm currently trying to help test the changes to GRUB submitted in
> issue #71348[1]. Unfortunately, `make check`, whilst building the
> local Guix channel, authenticates every commit. That means commits not
> signed by people in `guix-authorizations` will stop the channel from
> building and prevents running any of the tests.

Bummer.  :-(

> I have tried to fix the issue by writing a patch:

This patch looks like the right thing to do.

I’m not sure how to integrate it though: in the general case, we
probably want to keep authentication enabled by default, but how to
allow users to easily disable it when using a personal checkout?

> Initially this seems like it works, as it starts to index all of the
> commits in the local checkout, which didn't occur beforehand, instead
> immediately giving a `Git error: cannot locate remote-tracking branch
> 'origin/keyring'` (I've run `git fetch -a`, and my Savannah remote is
> called `origin`).

Guix caches clones under ~/.cache/guix/checkout.  It may be that there’s
a clone of your local repo there, but that the clone itself lack a copy
of the ‘keyring’ branch?  (You can run ‘git fetch -a’ in there.)

Thanks for testing!

Ludo’.

Re: Disabling authentication checks for tests in local Guix checkouts

[Suhail Singh]

Ludovic Courtès <ludo@gnu.org> writes:

> I’m not sure how to integrate it though: in the general case, we
> probably want to keep authentication enabled by default, but how to
> allow users to easily disable it when using a personal checkout?

Could you please elaborate on what the challenge is?

Is the challenge in inferring when they are using a personal checkout?
Would it be a challenge to have the user provide an option instead?
Said option could either be passed in explicitly every-time, or a
command provided to allow the user to set/unset the option (which would
get stored, say, in .git/config under guix "authentication") and the
code updated to read the preference from there.

-- 
Suhail

Re: Disabling authentication checks for tests in local Guix checkouts

[Ludovic Courtès]

Suhail Singh <suhailsingh247@gmail.com> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> I’m not sure how to integrate it though: in the general case, we
>> probably want to keep authentication enabled by default, but how to
>> allow users to easily disable it when using a personal checkout?
>
> Could you please elaborate on what the challenge is?
>
> Is the challenge in inferring when they are using a personal checkout?
> Would it be a challenge to have the user provide an option instead?
> Said option could either be passed in explicitly every-time, or a
> command provided to allow the user to set/unset the option (which would
> get stored, say, in .git/config under guix "authentication") and the
> code updated to read the preference from there.

The challenge is in determining that Guix is running from a local
checkout.  Now that I think about it, it’s not that hard: ./pre-inst-env
sets ‘GUIX_UNINSTALLED’.  So we could do:

  #:authenticate? (not (getenv "GUIX_UNINSTALLED"))

Problem is that an attacker could lead a user to disable authentication
by getting them to set this seemingly unrelated environment variable.

The ‘.git/config’ option you propose is not available because that all
happens with the Guix-managed cached checkout under
~/.cache/guix/checkouts.

Maybe a specific environment variable would do?

Ludo’.

Re: Disabling authentication checks for tests in local Guix checkouts

[Suhail Singh]

Ludovic Courtès <ludo@gnu.org> writes:

> The challenge is in determining that Guix is running from a local
> checkout.  Now that I think about it, it’s not that hard: ./pre-inst-env
> sets ‘GUIX_UNINSTALLED’.  So we could do:
>
>   #:authenticate? (not (getenv "GUIX_UNINSTALLED"))
>
> Problem is that an attacker could lead a user to disable authentication
> by getting them to set this seemingly unrelated environment variable.
>
> The ‘.git/config’ option you propose is not available because that all
> happens with the Guix-managed cached checkout under
> ~/.cache/guix/checkouts.

Thank you for the detailed explanation.

> Maybe a specific environment variable would do?

Perhaps.  What is the threat model of the attacker?

-- 
Suhail

Re: Disabling authentication checks for tests in local Guix checkouts

[Ada Stevenson]

Hi Ludo'

On 17/06/2024 1:05 pm, Ludovic Courtès wrote:
> Hi Ada,
> 
> Ada Stevenson <adanskana@gmail.com> skribis:
> 
>> I'm currently trying to help test the changes to GRUB submitted in
>> issue #71348[1]. Unfortunately, `make check`, whilst building the
>> local Guix channel, authenticates every commit. That means commits not
>> signed by people in `guix-authorizations` will stop the channel from
>> building and prevents running any of the tests.
> 
> Bummer.  :-(
> 
>> I have tried to fix the issue by writing a patch:
> 
> This patch looks like the right thing to do.
> 
> I’m not sure how to integrate it though: in the general case, we
> probably want to keep authentication enabled by default, but how to
> allow users to easily disable it when using a personal checkout?
> 
>> Initially this seems like it works, as it starts to index all of the
>> commits in the local checkout, which didn't occur beforehand, instead
>> immediately giving a `Git error: cannot locate remote-tracking branch
>> 'origin/keyring'` (I've run `git fetch -a`, and my Savannah remote is
>> called `origin`).
> 
> Guix caches clones under ~/.cache/guix/checkout.  It may be that there’s
> a clone of your local repo there, but that the clone itself lack a copy
> of the ‘keyring’ branch?  (You can run ‘git fetch -a’ in there.)

I tried invoking the tests from within a `./pre-inst-env guix repl` and 
managed to get both of the tests to run using my patch! They both passed 
too. I think you're right, there must have been some sort of caching error.

Anyway, I'm new to contributing using Debbugs. Is there a way to tag an 
issue as 'reviewed' or something like that? Or do I just send an email 
saying I tested the patch and everything looks good? Let me know :-)

> 
> Thanks for testing!

You're welcome! Thanks for writing the patch.

> 
> Ludo’.

Warmly,
Ada