From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id SOdLDAdb9mOAfAEAbAwnHQ (envelope-from ) for ; Wed, 22 Feb 2023 19:12:23 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id ALdVDAdb9mOEXwAA9RJhRA (envelope-from ) for ; Wed, 22 Feb 2023 19:12:23 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1217819902 for ; Wed, 22 Feb 2023 19:12:22 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pUtb2-0004LV-6V; Wed, 22 Feb 2023 13:12:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUtb0-0004Ji-AW for guix-patches@gnu.org; Wed, 22 Feb 2023 13:12:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pUtb0-0006WZ-2Y for guix-patches@gnu.org; Wed, 22 Feb 2023 13:12:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pUtaz-0002EU-UZ for guix-patches@gnu.org; Wed, 22 Feb 2023 13:12:01 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#61246] [PATCH v3 2/3] doc: Explain how to use local guix repositories. Resent-From: =?UTF-8?Q?Andr=C3=A9?= Batista Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 22 Feb 2023 18:12:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61246 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Maxim Cournoyer Cc: 61246@debbugs.gnu.org Received: via spool by 61246-submit@debbugs.gnu.org id=B61246.16770894628489 (code B ref 61246); Wed, 22 Feb 2023 18:12:01 +0000 Received: (at 61246) by debbugs.gnu.org; 22 Feb 2023 18:11:02 +0000 Received: from localhost ([127.0.0.1]:60304 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pUta1-0002Cf-LG for submit@debbugs.gnu.org; Wed, 22 Feb 2023 13:11:02 -0500 Received: from mx1.riseup.net ([198.252.153.129]:36924) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pUtZy-0002CH-Vl for 61246@debbugs.gnu.org; Wed, 22 Feb 2023 13:11:00 -0500 Received: from fews2.riseup.net (fews2-pn.riseup.net [10.0.1.84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mail.riseup.net", Issuer "R3" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4PMPNF2L2zzDqFh; Wed, 22 Feb 2023 18:10:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1677089453; bh=XtoZEkLPrErA0eRad7Ml4SUllMk+NV5I+NXarTees6M=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=sW1JQlZxN915NenGa57KVZRNb0Vs+TzSig+CkKp7FOIFMCekL9RMCgisvZdr+Cezy +q8Hm8TemjM82s5jTqeVclKPasmaZaBJet8mfowIq8ErtpoApu4AICVs3sIGabTnkB 5lRBhhZGZIrgevg5AmgIJ323jEprWUYOJo6HmxwI= X-Riseup-User-ID: D75D77A863F5FB3E6D4236CC63D1F2DACD9D3902082EE88CAEFD1605A6737B51 Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews2.riseup.net (Postfix) with ESMTPSA id 4PMPND2WGhz1yPW; Wed, 22 Feb 2023 18:10:52 +0000 (UTC) Date: Wed, 22 Feb 2023 15:10:39 -0300 From: =?UTF-8?Q?Andr=C3=A9?= Batista Message-ID: References: <87a61ogomz.fsf@gmail.com> <20230217190640.1914-1-nandre@riseup.net> <87r0uoqd2j.fsf@gmail.com> <87fsb2q3kr.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87fsb2q3kr.fsf@gmail.com> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1677089543; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=JejLH1XFJQ4fDSeHk/xTvSCvMrhLp4lxiZ/vqa8SFPg=; b=USI3n7rjowxYiVo8jCdE8Qgt0jgH08yNwuwD1wySMV2eNBr7F0LgZff3OOWxAq5a8KPUqp Zgo3GmhDtalD5+KNQ9AVVfmbt4ZhZGh/3jK1GjyWVExPmCtDna3g+q8EeqjEg7DDrc1jJx aquJR0MW1BofJuQbpHykbEdrWRSRIt0CeaAMF4zshnL/4jJPMGnAsNO3t2wUr3eTsdxiRr 9Q8isitSTb17NlLONve100VKjOWfedACukdk9ZidYPIx1iCC5/wqF+/99KQbpkEZ0w1PCS agTJYEmjFKIjCUi9qS9c+Cq+6aHbx6CnMBchGk2m3QvCUM+l7VLMrGVfXmlzXA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=riseup.net header.s=squak header.b=sW1JQlZx; dmarc=fail reason="SPF not aligned (relaxed)" header.from=riseup.net (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1677089543; a=rsa-sha256; cv=none; b=Dsrn5y9FLgJv02QoRlCFeUIXRBDUarrrWD1UNklAX/NoiTFrW6bFeO7BjVFu3pQA394B/b D0ZeOLnskWJn8jGrr0OPsIHYq9HgvC9vQHbNTgjPNrfy3aXdbaaNrxTb6jo4MUm6ZYmX4H oYO2G7tNdaWHHn+EFo3QtG2iCpD9f7F/ukH0YP1bSEdbSfppop+ZRVzX0qrFIHSE10WELz YyUotvjH59JTMaWNELyzSrso/e51aEPPCBzIQoJQhffh5kINHHG3+5o9B222Cxkx5w5Y2X E+JUX29p4dhQhqqtFxicPCsb7e9u583x4qnHlxmbxvn5o5FmlQySoDqz2DOChA== Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=riseup.net header.s=squak header.b=sW1JQlZx; dmarc=fail reason="SPF not aligned (relaxed)" header.from=riseup.net (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 6.24 X-Migadu-Scanner: scn1.migadu.com X-Spam-Score: 6.24 X-Migadu-Queue-Id: 1217819902 X-TUID: +gPuGvXqvHNR Hi Maxim, sáb 18 fev 2023 às 12:35:32 (1676734532), maxim.cournoyer@gmail.com enviou: > > --8<---------------cut here---------------start------------->8--- > Note that you can specify a local directory on the @code{url} field > above if the channel that you intend to use resides on a local file > system. However, in this case @command{guix}@footnote{More accurately, > @command{git}, which Guix utilizes via the @code{libgit2} library.} > checks said directory for ownership before any further processing. This > means that if the user is not the directory owner, but wants to use it > as their default, they will then need to set it as a safe directory in > their global git configuration file. Otherwise, @command{guix} will > refuse to even read it. Supposing your system-wide local directory is > at @code{/src/guix.git}, you would then create a git configuration file > at @code{~/.gitconfig} with the following contents: > --8<---------------cut here---------------end--------------->8--- I don't think it's more accurate to say it's @command{git}. Looking at the manual, on section 7.4 "Channel Authentication", it says: --- The @command{guix pull} and @command{guix time-machine} commands @dfn{authenticate} the code retrieved from channels: they make sure each commit that is fetched is signed by an authorized developer. The goal is to protect from unauthorized modifications to the channel that would lead users to run malicious code. As a user, you must provide a @dfn{channel introduction} in your channels file so that Guix knows how to authenticate its first commit. A channel specification, including its introduction, looks something along these lines: --- Then it goes on to describe how to insert a openpgp fingerprint, a commit hash, but it does not say it's @command{git}, nor @command{gnupg}, and it has no word to say about gcrypt library, libgit2 or guile and IMO it's good as is. Anyway, would it satisfy your concerns if I were to send another patch version with the following contents? --8<---------------cut here---------------start------------->8--- Note that you can specify a local directory on the @code{url} field above if the channel that you intend to use resides on a local file system. However, in this case Guix checks said directory for ownership before any further processing and it will, by default, abort execution if the configured directory is neither owned by the calling user nor has it been configured as a safe directory in the user's global @command{git} configuration file at @code{~/.gitconfig}, which Guix honors@footnote{If you know your @command{git}, this security measure mimicks what it does.}. Supposing your system-wide local channel is at @code{/src/guix.git}, you would then declare it a safe directory by adding the following configuration directives to your @command{git} global configuration file: --8<---------------cut here---------------end--------------->8--- Cheers,