[Accidentally pushed patch v1, this commit contains the rest of the
changes. Revised commit message follows.]
Apart from debug information, one can also strip some symbols. This can
be a significant difference, the closure of gcc-toolchain@7 got reduced
by 15 MB in my tests.
As per [1], --strip-debug is included in --strip-unneeded, and
the debug files created also contain a copy of the information removed
by --strip-unneeded.
Linux From Scratch suggests that this option shouldn't be used on static
libraries [2], however other sources [3] indicate otherwise. Building a
toolchain with this patch succeeds, and the result works fine for
'gcc -static hello-world.c'.
[1]: https://stackoverflow.com/a/52555093
[2]: http://www.linuxfromscratch.org/lfs/view/9.1/chapter05/stripping.html
[3]: https://www.technovelty.org/linux/stripping-shared-libraries.html
* guix/build/gnu-build-system.scm (strip): Use --strip-unneeded.
* guix/build-system/gnu.scm (static-package, gnu-build, gnu-cross-build): Likewise.
Apart from debug information, one can also strip some symbols. This can
be a significant difference, qtbase:out consists of about 5 MB of those
symbols. As per [1], --strip-debug is included in --strip-unneeded, and
the debug files created also contain a copy of the information removed
by --strip-unneeded.
Linux From Scratch suggests that this option shouldn't be used on static
libraries [2], however other sources [3] indicate otherwise. Building a
toolchain with this patch succeeds, and the result works fine for
'gcc -static hello-world.c'.
[1]: https://stackoverflow.com/a/52555093
[2]: http://www.linuxfromscratch.org/lfs/view/9.1/chapter05/stripping.html
[3]: https://www.technovelty.org/linux/stripping-shared-libraries.html
* guix/build/gnu-build-system.scm (strip): Use --strip-unneeded.
* guix/ui.scm (show-what-to-build): When VERBOSITY is 1, add a newline
before the "would/will be downloaded" line, and wrap that message in
'highlight'.
In practice we're always using the same key pair,
/etc/guix/signing-key.{pub,sec}. Keeping them in cache allows us to
avoid redundant I/O and parsing when signing multiple store items in a
row.
* guix/scripts/authenticate.scm (load-key-pair): New procedure.
(sign-with-key): Remove 'key-file' parameter and add 'public-key' and
'secret-key'. Adjust accordingly.
(validate-signature): Add 'acl' parameter and pass it to
'authorized-key?'.
(guix-authenticate)[call-with-reply]: New procedure.
[with-reply]: New macro.
Call 'current-acl' upfront and cache its result. Add 'key-pairs' as an
argument to 'loop' and use it as a cache of key pairs.
Previously, we'd spawn 'guix authenticate' once for each item that has
to be signed (when exporting) or authenticated (when importing). Now,
we spawn it once for all and then follow a request/reply protocol. This
reduces the wall-clock time of:
guix archive --export -r $(guix build coreutils -d)
from 30s to 2s.
* guix/scripts/authenticate.scm (sign-with-key): Return the signature
instead of displaying it. Raise a &formatted-message instead of calling
'leave'.
(validate-signature): Likewise.
(read-command): New procedure.
(define-enumerate-type, reply-code): New macros.
(guix-authenticate)[send-reply]: New procedure.
Change to read commands from current-input-port.
* nix/libstore/local-store.cc (runAuthenticationProgram): Remove.
(authenticationAgent, readInteger, readAuthenticateReply): New
functions.
(signHash, verifySignature): Rewrite in terms of the agent.
* tests/store.scm ("import not signed"): Remove 'pk' call.
("import signed by unauthorized key"): Check the error message of C.
* tests/guix-authenticate.sh: Rewrite using the new protocol.
fixlet
* guix/svn-download.scm (download-svn-to-store): Add a subdirectory to
the download path. The subdirectory is used as the target for the 'svn
export' command, avoiding a 'directory exists' error when attempting to
use the parent directory directly.
It was made transactional in a4678c6ba1, with
the reasoning to prevent broken intermediate states from being visible. I
think this means something like an entry being in ValidPaths, but the Refs not
being inserted.
Using a transaction for this makes sense, but I think using one single
transaction for the whole register-items call is unnecessary to avoid broken
states from being visible, and could block other writes to the store database
while register-items is running. Because the deduplication and resetting
timestamps happens within the transaction as well, even though these things
don't involve the database, writes to the database will still be blocked while
this is happening.
To reduce the potential for register-items to block other writers to the
database for extended periods, this commit moves the transaction to just wrap
the call to sqlite-register. This is the one place where writes occur, so that
should prevent the broken intermediate states issue above. The one difference
this will make is some of the registered items will be visible to other
connections while others may be still being added. I think this is OK, as it's
equivalent to just registering different items.
* guix/store/database.scm (register-items): Reduce transaction scope.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
It's necessary that store items be locked and protected from garbage
collection while they are being registered. This documents that.
* guix/store/database.scm (register-path, register-items): document GC
protection and locking requirements.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This causes with-writable-file to take into consideration the actual store
being used, as passed to 'deduplicate', rather than
whatever (%store-directory) may return.
* guix/store/deduplication.scm (replace-with-link): new keyword argument
'store'. Pass to with-writable-file.
(with-writable-file, call-with-writable-file): new store argument.
(deduplicate): pass store to replace-with-link.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* guix/ui.scm (show-manifest-transaction)[package-strings]: Add an
OLD-VERSIONS keyword parameter. Absorb the code path previously found in the
upgrade-string. Remove upgrade-string.
(show-manifest-transaction): Adjust to the above changes.
There's no reason at this point to mimic the calling convention of the
'openssl' command.
* nix/libstore/local-store.cc (LocalStore::exportPath): Add only "sign"
and HASH to ARGS. Remove 'tmpDir' and 'hashFile'.
(LocalStore::importPath): Add only "verify" and SIGNATURE to
* guix/scripts/authenticate.scm (guix-authenticate): Adjust
accordingly; remove the OpenSSL-style clauses.
(read-hash-data): Remove.
(sign-with-key): Replace 'port' with 'sha256' and adjust accordingly.
(validate-signature): Export SIGNATURE to be a canonical sexp.
* tests/guix-authenticate.sh: Adjust tests accordingly.
* doc/guix.texi (Invoking guix archive): Introduce the term "nar bundle"
and clarify what the output of "guix archive --export" really is.
* guix/nar.scm (restore-one-item, restore-file-set): Use the term "nar
bundle" in docstrings.
Fixes <https://bugs.gnu.org/43039>.
Reported by Adam Griffiths <adam.lw.griffiths@gmail.com>.
Previously, a client could lead 'guix substitute' to run in a non-UTF-8
locale, such as the "C" locale. Consequently, 'guix substitute' would
now fail to decode UTF-8 file names such as those that appear in the
'nss-certs' package.
* guix/scripts/substitute.scm (guix-substitute): Set LC_MESSAGES, not LC_ALL.
In order to do so, default to an empty options list, and expose options whose
default values are sensitive directly as keyword arguments.
* guix/gexp.scm (computed-file): Extract the LOCAL-BUILD? parameter from the
OPTIONS parameter to make it a stand-alone keyword argument. Introduce an
OPTIONS* binding which is obtained by combining the LOCAL-BUILD? keyword and
its value with OPTIONS.
* doc/guix.texi (G-Expressions): Adjust doc.
Suggested-by: Ludovic Courtès <ludo@gnu.org>
* guix/scripts/system.scm (%options): Add `--label'.
(system-derivation-for-action): Take a #:label key to set volume ID.
(perform-action): Take a #:label key.
(%default-options): Add default label value.
(process-action): Pass label value from command-line to perform-action.
* gnu/system/image.scm (image-with-label): New procedure.
Suggested by Robin Green <greenrd@greenrd.org>.
* guix/packages.scm (print-content-hash): Gracefully deal with cases
with 'content-hash-value' returns #f, as is the case for 'linux-libre'.
Fixes <https://bugs.gnu.org/42740>.
* guix/scripts/copy.scm (send-to-remote-host): Keep the result of
'connect-to-remote-daemon' in scope, and explicitly close it after the
call to 'send-files'.
(retrieve-from-remote-host): Explicitly close REMOTE and disconnect
SESSION.
* guix/scripts/offload.scm (transfer-and-offload): Explicitly close
STORE and disconnect SESSION upon completion.
This leads a 4% improvement on the wall-clock time of:
guix build -e '(@@ (gnu packages libreoffice) libreoffice)' --no-grafts -d
* guix/derivations.scm (escaped-string): New procedure.
(write-derivation)[write-escaped-string]: New procedure.
[write-string-list, write-output, write-env-var]: Use it.
This yields a 4% improvement on the wall-clock time of:
guix build -e '(@@ (gnu packages libreoffice) libreoffice)' --no-grafts -d
* guix/derivations.scm (write-sequence, write-list, write-tuple): Use
'put-char' instead of 'display'.
(write-derivation): Use 'put-string' and 'put-char', and remove unused
'format' binding.
The file names returned by `find ...` instead of `git ls-files...` contains
leading './' characters, which can cause problems when the file lists is
further processed with regexps, for example, as was discovered while updating
the ruby-asciidoctor package in commit
5df1126c3a.
* guix/build/ruby-build-system.scm (replace-git-ls-files): Strip the first two
characters ("./") of the file names returned by the 'find' command. Fix typo
in doc. Simplify '(when (not ...' into '(unless ...'.
* guix/scripts/pull.scm (ensure-default-profile): Do not call
'migrate-generations' when
%USER-PROFILE-DIRECTORY (~/.config/guix/current) does not exist. This
avoids a confusing "Migrating profile" message when the user runs 'guix
pull' for the first time.
