futurile/guix-play
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

pull: Add '--disable-authentication'.

Browse Source 
* guix/channels.scm (latest-channel-instance): Add #:authenticate? and
honor it.
(latest-channel-instances): Likewise.
* guix/scripts/pull.scm (%default-options): Add 'authenticate-channels?'.
(show-help, %options): Add '--disable-authentication'.
(guix-pull): Pass #:authenticate? to 'latest-channel-instances'.
* doc/guix.texi (Invoking guix pull): Document it.
This commit is contained in:
Ludovic Courtès 2020-06-08 23:22:17 +02:00
parent c3f6f564e9
commit a9eeeaa6ae
No known key found for this signature in database
GPG Key ID: 090B11993D9AEBB5
3 changed files with 43 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
doc/guix.texi
View File

@ -3929,6 +3929,20 @@ Make sure you understand its security implications before using
@option{--allow-downgrades}. @option{--allow-downgrades}.
@end quotation @end quotation
@item --disable-authentication
Allow pulling channel code without authenticating it.
@cindex authentication, of channel code
By default, @command{guix pull} authenticates code downloaded from
channels by verifying that its commits are signed by authorized
developers, and raises an error if this is not the case. This option
instructs it to not perform any such verification.
@quotation Note
Make sure you understand its security implications before using
@option{--disable-authentication}.
@end quotation
@item --system=@var{system} @item --system=@var{system}
@itemx -s @var{system} @itemx -s @var{system}
Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of

25
guix/channels.scm
View File

@ -390,11 +390,12 @@ commits ~a to ~a (~h new commits)...~%")
(define* (latest-channel-instance store channel (define* (latest-channel-instance store channel
#:key (patches %patches) #:key (patches %patches)
starting-commit starting-commit
(authenticate? #f)
(validate-pull (validate-pull
ensure-forward-channel-update)) ensure-forward-channel-update))
"Return the latest channel instance for CHANNEL. When STARTING-COMMIT is "Return the latest channel instance for CHANNEL. When STARTING-COMMIT is
true, call VALIDATE-PULL with CHANNEL, STARTING-COMMIT, the target commit, and true, call VALIDATE-PULL with CHANNEL, STARTING-COMMIT, the target commit, and
their relation." their relation. When AUTHENTICATE? is false, CHANNEL is not authenticated."
(define (dot-git? file stat) (define (dot-git? file stat)
(and (string=? (basename file) ".git") (and (string=? (basename file) ".git")
(eq? 'directory (stat:type stat)))) (eq? 'directory (stat:type stat))))
@ -408,14 +409,16 @@ their relation."
(when relation (when relation
(validate-pull channel starting-commit commit relation)) (validate-pull channel starting-commit commit relation))
(if (channel-introduction channel) (if authenticate?
(authenticate-channel channel checkout commit) (if (channel-introduction channel)
;; TODO: Warn for all the channels once the authentication interface (authenticate-channel channel checkout commit)
;; is public. ;; TODO: Warn for all the channels once the authentication interface
(when (guix-channel? channel) ;; is public.
(warning (G_ "channel '~a' lacks an introduction and \ (when (guix-channel? channel)
(warning (G_ "channel '~a' lacks an introduction and \
cannot be authenticated~%") cannot be authenticated~%")
(channel-name channel)))) (channel-name channel))))
(warning (G_ "channel authentication disabled~%")))
(when (guix-channel? channel) (when (guix-channel? channel)
;; Apply the relevant subset of PATCHES directly in CHECKOUT. This is ;; Apply the relevant subset of PATCHES directly in CHECKOUT. This is
@ -463,11 +466,15 @@ allow non-forward updates."))))))))))
(define* (latest-channel-instances store channels (define* (latest-channel-instances store channels
#:key #:key
(current-channels '()) (current-channels '())
(authenticate? #t)
(validate-pull (validate-pull
ensure-forward-channel-update)) ensure-forward-channel-update))
"Return a list of channel instances corresponding to the latest checkouts of "Return a list of channel instances corresponding to the latest checkouts of
CHANNELS and the channels on which they depend. CHANNELS and the channels on which they depend.
When AUTHENTICATE? is true, authenticate the subset of CHANNELS that has a
\"channel introduction\".
CURRENT-CHANNELS is the list of currently used channels. It is compared CURRENT-CHANNELS is the list of currently used channels. It is compared
against the newly-fetched instances of CHANNELS, and VALIDATE-PULL is called against the newly-fetched instances of CHANNELS, and VALIDATE-PULL is called
for each channel update and can choose to emit warnings or raise an error, for each channel update and can choose to emit warnings or raise an error,
@ -505,6 +512,8 @@ depending on the policy it implements."
(let* ((current (current-commit (channel-name channel))) (let* ((current (current-commit (channel-name channel)))
(instance (instance
(latest-channel-instance store channel (latest-channel-instance store channel
#:authenticate?
authenticate?
#:validate-pull #:validate-pull
validate-pull validate-pull
#:starting-commit #:starting-commit

14
guix/scripts/pull.scm
View File

@ -82,6 +82,7 @@
(graft? . #t) (graft? . #t)
(debug . 0) (debug . 0)
(verbosity . 1) (verbosity . 1)
(authenticate-channels? . #t)
(validate-pull . ,ensure-forward-channel-update))) (validate-pull . ,ensure-forward-channel-update)))
(define (show-help) (define (show-help)
@ -97,6 +98,9 @@ Download and deploy the latest version of Guix.\n"))
--branch=BRANCH download the tip of the specified BRANCH")) --branch=BRANCH download the tip of the specified BRANCH"))
(display (G_ " (display (G_ "
--allow-downgrades allow downgrades to earlier channel revisions")) --allow-downgrades allow downgrades to earlier channel revisions"))
(display (G_ "
--disable-authentication
disable channel authentication"))
(display (G_ " (display (G_ "
-N, --news display news compared to the previous generation")) -N, --news display news compared to the previous generation"))
(display (G_ " (display (G_ "
@ -165,6 +169,9 @@ Download and deploy the latest version of Guix.\n"))
(lambda (opt name arg result) (lambda (opt name arg result)
(alist-cons 'validate-pull warn-about-backward-updates (alist-cons 'validate-pull warn-about-backward-updates
result))) result)))
(option '("disable-authentication") #f #f
(lambda (opt name arg result)
(alist-cons 'authenticate-channels? #f result)))
(option '(#\p "profile") #t #f (option '(#\p "profile") #t #f
(lambda (opt name arg result) (lambda (opt name arg result)
(alist-cons 'profile (canonicalize-profile arg) (alist-cons 'profile (canonicalize-profile arg)
@ -771,7 +778,8 @@ Use '~/.config/guix/channels.scm' instead."))
(channels (channel-list opts)) (channels (channel-list opts))
(profile (or (assoc-ref opts 'profile) %current-profile)) (profile (or (assoc-ref opts 'profile) %current-profile))
(current-channels (profile-channels profile)) (current-channels (profile-channels profile))
(validate-pull (assoc-ref opts 'validate-pull))) (validate-pull (assoc-ref opts 'validate-pull))
(authenticate? (assoc-ref opts 'authenticate-channels?)))
(cond ((assoc-ref opts 'query) (cond ((assoc-ref opts 'query)
(process-query opts profile)) (process-query opts profile))
((assoc-ref opts 'generation) ((assoc-ref opts 'generation)
@ -793,7 +801,9 @@ Use '~/.config/guix/channels.scm' instead."))
#:current-channels #:current-channels
current-channels current-channels
#:validate-pull #:validate-pull
validate-pull))) validate-pull
#:authenticate?
authenticate?)))
(format (current-error-port) (format (current-error-port)
(N_ "Building from this channel:~%" (N_ "Building from this channel:~%"
"Building from these channels:~%" "Building from these channels:~%"