GNU bug report logs - #70243
The substitute authorization warning is displayed when it shouldn't be

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Sat, 6 Apr 2024 16:51:02 UTC

Severity: normal

To reply to this bug, email your comments to 70243 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#70243; Package guix. (Sat, 06 Apr 2024 16:51:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Sat, 06 Apr 2024 16:51:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: bug-guix <at> gnu.org
Subject: The substitute authorization warning is displayed when it shouldn't be
Date: Sat, 6 Apr 2024 12:49:46 -0400

I just saw this on Debian:

------
$ guix shell -D guix -- ./pre-inst-env guix weather linux-libre
computing 1 package derivations for x86_64-linux...
looking for 1 store items on https://ci.guix.gnu.org...
guix weather: warning: substitutes from 'https://ci.guix.gnu.org' are unauthorized
hint: To authorize all substitutes from `https://ci.guix.gnu.org' to be downloaded, the following command needs to be run as root:
[...]
------

But, I do have the given key in my '/etc/guix/acl', and this works:

------
guix shell -D guix -- ./pre-inst-env guix build linux-libre       
substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0%
substitute: updating substitutes from 'https://bordeaux.guix.gnu.org'... 100.0%
114.0 MB will be downloaded:
  /gnu/store/547y21y3w9nj29w9n73gp2arjxgmvvl6-linux-libre-6.8.2
substituting /gnu/store/547y21y3w9nj29w9n73gp2arjxgmvvl6-linux-libre-6.8.2...
[...]
------

So, the warning is mistaken.

For your reference:

------
guix shell -D guix -- ./pre-inst-env guix describe         
Git checkout:                                                  
  repository: /home/leo/work/guix/
  branch: master
  commit: 50a72a08af37557575199b56bbee9f334d58575a
------

Let me know if there is any other information I can provide.
Information forwarded to bug-guix <at> gnu.org:
bug#70243; Package guix. (Sat, 25 May 2024 09:33:02 GMT) Full text and rfc822 format available.

Message #8 received at 70243 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: 70243 <at> debbugs.gnu.org
Subject: Re: bug#70243: The substitute authorization warning is displayed
 when it shouldn't be
Date: Sat, 25 May 2024 11:31:56 +0200

Hi Leo,

Leo Famulari <leo <at> famulari.name> skribis:

> I just saw this on Debian:
>
> ------
> $ guix shell -D guix -- ./pre-inst-env guix weather linux-libre
> computing 1 package derivations for x86_64-linux...
> looking for 1 store items on https://ci.guix.gnu.org...
> guix weather: warning: substitutes from 'https://ci.guix.gnu.org' are unauthorized
> hint: To authorize all substitutes from `https://ci.guix.gnu.org' to be downloaded, the following command needs to be run as root:
> [...]
> ------
>
> But, I do have the given key in my '/etc/guix/acl', and this works:

Are /etc/guix/acl and /etc/guix world-readable?

‘check-narinfo-authorization’ in (guix scripts weather) is supposed to
properly handle this case, but I think that fails if /etc/guix is not
accessible.

Thanks,
Ludo’.
Information forwarded to bug-guix <at> gnu.org:
bug#70243; Package guix. (Wed, 05 Jun 2024 17:11:03 GMT) Full text and rfc822 format available.

Message #11 received at 70243 <at> debbugs.gnu.org (full text, mbox):

From: Simon Tournier <zimon.toutoune <at> gmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>, Leo Famulari
 <leo <at> famulari.name>
Cc: 70243 <at> debbugs.gnu.org
Subject: Re: bug#70243: The substitute authorization warning is displayed
 when it shouldn't be
Date: Wed, 05 Jun 2024 19:06:05 +0200

[Message part 1 (text/plain, inline)]
Hi,

On Sat, 25 May 2024 at 11:31, Ludovic Courtès <ludo <at> gnu.org> wrote:

>> But, I do have the given key in my '/etc/guix/acl', and this works:
>
> Are /etc/guix/acl and /etc/guix world-readable?

I had been bitten by this recently.  And I have not found any mention
about that in the manual.  Maybe it could helpful to add:


[p.patch (text/x-diff, inline)]
diff --git a/doc/guix.texi b/doc/guix.texi
index 5e1173b8c6..3b97674733 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -3792,7 +3792,8 @@ Getting Substitutes from Other Servers
 @end example
 
 Again this assumes @file{key.pub} contains the public key that
-@code{guix.example.org} uses to sign substitutes.
+@code{guix.example.org} uses to sign substitutes.  Make sure
+@file{/etc/guix/acl} is world-readable.
 @end enumerate
 
 Now you're all set!  Substitutes will be preferably taken from

[Message part 3 (text/plain, inline)]

In addition, I had to be read a comment in source code to know what
another issue was: the daemon’s too old.  Hence, I would suggest:


[pp.patch (text/x-diff, inline)]
diff --git a/guix/scripts/weather.scm b/guix/scripts/weather.scm
index 08a1b22a74..98a09f9e9a 100644
--- a/guix/scripts/weather.scm
+++ b/guix/scripts/weather.scm
@@ -643,7 +643,7 @@ (define-command (guix-weather . args)
                              ;; substitute URLs, presumably because it's too
                              ;; old.
                              (warning (G_ "using default \
-substitute URLs~%"))
+substitute URLs; maybe the daemon's too old~%"))
                              %default-substitute-urls)))
              (systems  (match (filter-map (match-lambda
                                             (('system . system) system)

[Message part 5 (text/plain, inline)]
Both would ease the debugging session of substitute authorization, IMHO.

Cheers,
simon
This bug report was last modified 1 year and 6 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.