From unknown Fri Jun 20 07:09:43 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#71071 <71071@debbugs.gnu.org>
To: bug#71071 <71071@debbugs.gnu.org>
Subject: Status: [PATCH] services: nix: Mount Nix store read only.
Reply-To: bug#71071 <71071@debbugs.gnu.org>
Date: Fri, 20 Jun 2025 14:09:43 +0000

retitle 71071 [PATCH] services: nix: Mount Nix store read only.
reassign 71071 guix-patches
submitter 71071 Oleg Pykhalov <go.wigust@gmail.com>
severity 71071 normal
tag 71071 patch

thanks


From debbugs-submit-bounces@debbugs.gnu.org Sun May 19 15:27:14 2024
Received: (at submit) by debbugs.gnu.org; 19 May 2024 19:27:14 +0000
Received: from localhost ([127.0.0.1]:37652 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1s8mBd-0005NY-Ia
	for submit@debbugs.gnu.org; Sun, 19 May 2024 15:27:13 -0400
Received: from lists.gnu.org ([209.51.188.17]:34680)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <go.wigust@gmail.com>) id 1s8mBb-0005NS-82
 for submit@debbugs.gnu.org; Sun, 19 May 2024 15:27:12 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <go.wigust@gmail.com>)
 id 1s8mBW-0005m4-N5
 for guix-patches@gnu.org; Sun, 19 May 2024 15:27:06 -0400
Received: from mail-lf1-x133.google.com ([2a00:1450:4864:20::133])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <go.wigust@gmail.com>)
 id 1s8mBU-00018c-VK
 for guix-patches@gnu.org; Sun, 19 May 2024 15:27:06 -0400
Received: by mail-lf1-x133.google.com with SMTP id
 2adb3069b0e04-51f782c666eso369188e87.0
 for <guix-patches@gnu.org>; Sun, 19 May 2024 12:27:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1716146821; x=1716751621; darn=gnu.org;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=U3EoDWTIYSmUAkjZcvF5UpIDgLMIHMP5x5EKhVOdVpg=;
 b=QWJ6VXqezpVyZB6QW/lorh8EeQ2nWknLH15MxpC6rTFU0iE1MsNLmE2hQucuibWLYx
 51peraaI6lZJQ5OCmeYrmUjdTww7upsp3UbEYep6VPfVOHyd1Txxng8G0ua+76Mv653c
 LoWO3o3uirYzSe91JefI1Pdb+kMcmMe2t9r2nc/Dxw3ZgynbBQ0VbLA1Mrx0xrOXXdo/
 Sz9wklltKJzWWzo+1PTxcgZgzIxV6rSyIVBtGxW/4dgfuM9iJdUA9XwIq+sO1WrmUsOl
 YynabZkDx33MxU16UhBToZD4rRsFl57/Gi37p12SWid+LoWizCM0Mm9j0+YfAvbfL7RD
 fHog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1716146821; x=1716751621;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=U3EoDWTIYSmUAkjZcvF5UpIDgLMIHMP5x5EKhVOdVpg=;
 b=mLyuSoxS7VqHC3LnnBi6eou9TnXmM+SzJkjtZpqeGP3O15hafIlyqq54xsklQxc5K9
 y08VABFhBFklMAKtRf8RQ5vOisHQeUHoRxpMUEkdEI5u3ksE5lncLJO22ejc83rNm2Ep
 ZfhOnoqVZ1kfhcB9iKQuXsvPrJdy3lj2wIBAqKhJW0zF4WivYFujHO0EKOmjUoVo8W6X
 G6PySKHY3ygoO842InLN/3I/S6bmHqexs89kU7sW2hggy7Aj+rmGQAw5dCoO3a3nIaxr
 QhcUw9Ww0zu+SX7qtMQngw2FQDM3loZp36X51on+W9H5NHE+wQrucZadmKP2lPVPIic3
 lfcQ==
X-Gm-Message-State: AOJu0YycbsbkM0SsYtLNAYNek0i9BtsJPA5N8XHyCJY8xTUhbsDaRw5+
 WF3TPtRd2SXNREWtJCXhS/kTD6IunUGKVETH3vdQ9huEKv4q2Hm59KJpaw==
X-Google-Smtp-Source: AGHT+IEQgYT4hM8pNDPyvmYia01cFCjuTvwIW44cpiU9ewj7sfczExEU4WNLSlrwTgIDrtkfoC8Hlw==
X-Received: by 2002:a05:6512:b9a:b0:51f:1896:be05 with SMTP id
 2adb3069b0e04-5220fb67c76mr20392814e87.1.1716146821198; 
 Sun, 19 May 2024 12:27:01 -0700 (PDT)
Received: from guixsd.wugi.info ([93.100.15.190])
 by smtp.gmail.com with ESMTPSA id
 2adb3069b0e04-52395481b5dsm1711211e87.250.2024.05.19.12.27.00
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 19 May 2024 12:27:00 -0700 (PDT)
From: Oleg Pykhalov <go.wigust@gmail.com>
To: guix-patches@gnu.org
Subject: [PATCH] services: nix: Mount Nix store read only.
Date: Sun, 19 May 2024 22:26:15 +0300
Message-ID: <274716c3156aa3290666ee3d33a2f1101d02d572.1716146775.git.go.wigust@gmail.com>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2a00:1450:4864:20::133;
 envelope-from=go.wigust@gmail.com; helo=mail-lf1-x133.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: Oleg Pykhalov <go.wigust@gmail.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

* gnu/services/nix.scm (nix-shepherd-service): Mount Nix store read only.
(%nix-store-directory, %immutable-nix-store): New variables.
(%nix-store-prefix): New parameter.
(nix-activation): Move /nix/store provision to 'nix-shepherd-service'.

Change-Id: I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49
---
 gnu/services/nix.scm | 47 +++++++++++++++++++++++++++++++++++++-------
 1 file changed, 40 insertions(+), 7 deletions(-)

diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm
index 82853253f6..343b42c13a 100644
--- a/gnu/services/nix.scm
+++ b/gnu/services/nix.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2019, 2020, 2021 Oleg Pykhalov <go.wigust@gmail.com>
+;;; Copyright © 2019, 2020, 2021, 2024 Oleg Pykhalov <go.wigust@gmail.com>
 ;;; Copyright © 2020 Peng Mei Yu <i@pengmeiyu.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -97,12 +97,9 @@ (define (nix-activation _)
   #~(begin
       (use-modules (guix build utils)
                    (srfi srfi-26))
-      (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log"
+      (for-each (cut mkdir-p <>) '("/nix/var/log"
                                    "/nix/var/nix/gcroots/per-user"
                                    "/nix/var/nix/profiles/per-user"))
-      (chown "/nix/store"
-             (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01")))
-      (chmod "/nix/store" #o775)
       (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles"
                                        "/nix/var/nix/profiles/per-user"))))
 
@@ -129,6 +126,24 @@ (define nix-service-etc
                                     '#$build-sandbox-items))
                     (for-each (cut display <>) '#$extra-config)))))))))))
 
+(define %nix-store-directory
+  "/nix/store")
+
+(define %nix-store-prefix
+  ;; Absolute path to the Nix store.
+  (make-parameter %nix-store-directory))
+
+(define %immutable-nix-store
+  ;; Read-only store to avoid users or daemons accidentally modifying it.
+  ;; 'nix-daemon' has provisions to remount it read-write in its own name
+  ;; space.
+  #~(file-system
+      (device #$(%nix-store-prefix))
+      (mount-point #$(%nix-store-prefix))
+      (type "none")
+      (check? #f)
+      (flags '(read-only bind-mount))))
+
 (define nix-shepherd-service
   ;; Return a <shepherd-service> for Nix.
   (match-lambda
@@ -139,8 +154,26 @@ (define nix-shepherd-service
        (documentation "Run nix-daemon.")
        (requirement '())
        (start #~(make-forkexec-constructor
-                 (list (string-append #$package "/bin/nix-daemon")
-                       #$@extra-options)
+                 (list
+                  #$(program-file
+                     "nix-daemon-wrapper"
+                     (with-imported-modules (source-module-closure '((gnu build file-systems)
+                                                                     (gnu system file-systems)))
+                       #~(begin
+                           (use-modules (gnu build file-systems)
+                                        (gnu system file-systems)
+                                        (guix build syscalls)
+                                        (guix build utils))
+                           (unless (member #$(%nix-store-prefix) (mount-points))
+                             (mkdir-p "/nix/store")
+                             (chown "/nix/store"
+                                    (passwd:uid (getpw "root"))
+                                    (group:gid (getpw "nixbld01")))
+                             (chmod "/nix/store" #o775)
+                             (mount-file-system #$%immutable-nix-store
+                                                #:root "/"))
+                           (execl #$(file-append package "/bin/nix-daemon")
+                                  "nix-daemon" #$@extra-options)))))
                  #:environment-variables
                  (list (string-append "TMPDIR=" #$build-directory)
                        "PATH=/run/current-system/profile/bin")))

base-commit: dd03be186adb64bdb77265dfd0ad53fe50ec016e
-- 
2.41.0





From debbugs-submit-bounces@debbugs.gnu.org Wed May 22 11:45:31 2024
Received: (at 71071) by debbugs.gnu.org; 22 May 2024 15:45:32 +0000
Received: from localhost ([127.0.0.1]:56729 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1s9o9h-0004Xc-EP
	for submit@debbugs.gnu.org; Wed, 22 May 2024 11:45:31 -0400
Received: from eggs.gnu.org ([209.51.188.92]:53266)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1s9o9b-0004XU-VK
 for 71071@debbugs.gnu.org; Wed, 22 May 2024 11:45:28 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>)
 id 1s9o9Q-0000ey-BN; Wed, 22 May 2024 11:45:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=BzIYzNkARMcTP8WUj2RdbSjQcGHap39f+o2gizl5ebE=; b=R+dUJ0cuQHk/fI39DhY4
 Qc+kWaIUKQsdfwgqif5qCRkkEmg/D2MlNIdijO2sIU/uZlJs1st+rQX7hcYkcVkbD6SDVeDcScBSD
 P7fo6MW4zevqsC3iiDejOIYByX01IMZErsUA4yNuSvKYB9/x/ak0ptWd6IgCMYoFFVIjYIV52YqFH
 apJAQ7r5ipQSkTaFZbTyjUKnYE7G4Lgp/7LUNqn00I/siT9sOVR3a0nH1eiVQ2x0LVOq/fm1klFgi
 Z1kh0FPg8h9TEcv57p5a5PtSDDTtqaQioxWV31wBefPdEGoi8ZnjkzLTtQZdsedk+1mrBEoLdX7l+
 WRALll62E2MZxA==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
To: Oleg Pykhalov <go.wigust@gmail.com>
Subject: Re: [bug#71071] [PATCH] services: nix: Mount Nix store read only.
In-Reply-To: <274716c3156aa3290666ee3d33a2f1101d02d572.1716146775.git.go.wigust@gmail.com>
 (Oleg Pykhalov's message of "Sun, 19 May 2024 22:26:15 +0300")
References: <274716c3156aa3290666ee3d33a2f1101d02d572.1716146775.git.go.wigust@gmail.com>
Date: Wed, 22 May 2024 17:45:08 +0200
Message-ID: <87ttipdf5n.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 71071
Cc: 71071@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hello,

Oleg Pykhalov <go.wigust@gmail.com> skribis:

> * gnu/services/nix.scm (nix-shepherd-service): Mount Nix store read only.
> (%nix-store-directory, %immutable-nix-store): New variables.
> (%nix-store-prefix): New parameter.
> (nix-activation): Move /nix/store provision to 'nix-shepherd-service'.
>
> Change-Id: I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49

That=E2=80=99s a good idea.  Some suggestions:

> +(define %nix-store-directory
> +  "/nix/store")
> +
> +(define %nix-store-prefix
> +  ;; Absolute path to the Nix store.
> +  (make-parameter %nix-store-directory))

I think you can omit this parameter and simply use
=E2=80=98%nix-store-directory=E2=80=99 because=E2=80=A6

> +(define %immutable-nix-store
> +  ;; Read-only store to avoid users or daemons accidentally modifying it.
> +  ;; 'nix-daemon' has provisions to remount it read-write in its own name
> +  ;; space.
> +  #~(file-system
> +      (device #$(%nix-store-prefix))
> +      (mount-point #$(%nix-store-prefix))

=E2=80=A6 the parameter is used at the top-level anyway, so changing its va=
lue
won=E2=80=99t have any effect.

>         (start #~(make-forkexec-constructor
> -                 (list (string-append #$package "/bin/nix-daemon")
> -                       #$@extra-options)
> +                 (list
> +                  #$(program-file
> +                     "nix-daemon-wrapper"
> +                     (with-imported-modules (source-module-closure '((gn=
u build file-systems)
> +                                                                     (gn=
u system file-systems)))
> +                       #~(begin
> +                           (use-modules (gnu build file-systems)
> +                                        (gnu system file-systems)
> +                                        (guix build syscalls)
> +                                        (guix build utils))
> +                           (unless (member #$(%nix-store-prefix) (mount-=
points))
> +                             (mkdir-p "/nix/store")
> +                             (chown "/nix/store"
> +                                    (passwd:uid (getpw "root"))
> +                                    (group:gid (getpw "nixbld01")))
> +                             (chmod "/nix/store" #o775)
> +                             (mount-file-system #$%immutable-nix-store
> +                                                #:root "/"))
> +                           (execl #$(file-append package "/bin/nix-daemo=
n")
> +                                  "nix-daemon" #$@extra-options)))))
>                   #:environment-variables
>                   (list (string-append "TMPDIR=3D" #$build-directory)
>                         "PATH=3D/run/current-system/profile/bin")))

Instead of having this wrapper, what about extending
=E2=80=98file-system-service-type=E2=80=99 with a read-only bind-mount <fil=
e-system>
similar to =E2=80=98%immutable-store=E2=80=99?

The Shepherd service that spawns nix-daemon would depend on that file
system:

  (requirement '(user-processes file-system-/nix/store))

Thanks,
Ludo=E2=80=99.




From debbugs-submit-bounces@debbugs.gnu.org Thu May 23 00:40:23 2024
Received: (at 71071) by debbugs.gnu.org; 23 May 2024 04:40:24 +0000
Received: from localhost ([127.0.0.1]:58338 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1sA0Fb-0005ws-Hz
	for submit@debbugs.gnu.org; Thu, 23 May 2024 00:40:23 -0400
Received: from mail-lf1-f54.google.com ([209.85.167.54]:39588)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <go.wigust@gmail.com>) id 1sA0FY-0005wm-4N
 for 71071@debbugs.gnu.org; Thu, 23 May 2024 00:40:23 -0400
Received: by mail-lf1-f54.google.com with SMTP id
 2adb3069b0e04-51f101b5d3bso825381e87.2
 for <71071@debbugs.gnu.org>; Wed, 22 May 2024 21:40:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1716439147; x=1717043947; darn=debbugs.gnu.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=Ak5vhyWKhHSIjWXW8AVnQyCbUUhDQJeO9s3LPUlAA1g=;
 b=ilGasenSprWtWb9J0jtF2lnxAjnjPq/0E4MtNhDwD6cC9MVpF2ljYy+AIJhrWU/nV/
 EH/z6m58q/JF2laKXJKLwL/7pPCza/G8HNikFoX55qjZU3ZuCUMitStn4jGgmI4j8Uja
 qA0q0y7bBzps7vuTew4+KsetWvVTTgvfvZVCg9AqBQuWs5UrqtV15dXKRAqLaHljh+oS
 m4/KoBWLR1WMKrotN5jBLDHPRrpyZ6HtNWqG1DbC29kq/KOkdcK7azHsG5YUkmTtFpop
 RS/gKJpDxoS1KrtrJk8yYkKFKlvv67OYDp3ua6CijxYBpUKkR9XVnjU3KpzK3CFuUMlG
 mDgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1716439147; x=1717043947;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=Ak5vhyWKhHSIjWXW8AVnQyCbUUhDQJeO9s3LPUlAA1g=;
 b=PDWiCUxlCZZqP8wXyClFFZ2IAghGlBYCd6HbWexlrnPxLr/FzrQbSY3Q6qUOpJ5oSr
 Ku1zrJIPzu8WDf+850r4uT4wWrj2S5GMI7TaU8PyZuzUXLDn7s8o0acc/mmc/HRKavLr
 lxGcg61lnsWgg0+VCp64qvh7mTz8lBblt8RrRLz+l2gtFDR9fLNdrp6yA5d/NvDlsmit
 l9h+dDuYzQQwoDpZzWTm8OWHsjdgOwLgo0/5ZXWfnK0OQ/0sSTx/UmPshEGPEZb1vjLv
 2WJjyuKFBk+EfTrwzLAyxCj+vkW7XA6ssZS9wgce89FnASk1GLBQBRVdsyupzcm8OlVm
 Ue+A==
X-Gm-Message-State: AOJu0Yz+0T6oMDPN1qTguXrbjBhrZSnAzVp1L0zwlumMglrqjh4GimDB
 4CGnNtiOemlxqYJqBSGSyGtO3Z0T0ztFoU2JLPJXCsBH6iU/jEBMqsM67w==
X-Google-Smtp-Source: AGHT+IGbWOi3dqS946S7R85mCiawhU2NmTL9GHbK0hh93H3ST6G3LJMOtHxhpldINSbS73VAoevtbQ==
X-Received: by 2002:ac2:4573:0:b0:51f:d82:8e07 with SMTP id
 2adb3069b0e04-526be0280e7mr2170812e87.2.1716439146892; 
 Wed, 22 May 2024 21:39:06 -0700 (PDT)
Received: from guixsd.wugi.info ([93.100.15.190])
 by smtp.gmail.com with ESMTPSA id
 2adb3069b0e04-52851a9baabsm62524e87.135.2024.05.22.21.39.06
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 22 May 2024 21:39:06 -0700 (PDT)
From: Oleg Pykhalov <go.wigust@gmail.com>
To: 71071@debbugs.gnu.org
Subject: [PATCH] services: nix: Mount Nix store read only.
Date: Thu, 23 May 2024 07:38:23 +0300
Message-ID: <13d78de1d27742605cf51fc0ed91b832cb5027c9.1716439103.git.go.wigust@gmail.com>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <87ttipdf5n.fsf@gnu.org>
References: <87ttipdf5n.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 71071
Cc: Oleg Pykhalov <go.wigust@gmail.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* gnu/services/nix.scm (nix-shepherd-service): Add requirements.
(%nix-store-directory): New variable.
(nix-service-type): Add file-system-service-type extension.

Change-Id: I73c54ab8699a54be33fac6732d919c4844d1daa4
---
 gnu/services/nix.scm | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm
index 82853253f6..419e5968fe 100644
--- a/gnu/services/nix.scm
+++ b/gnu/services/nix.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2019, 2020, 2021 Oleg Pykhalov <go.wigust@gmail.com>
+;;; Copyright © 2019, 2020, 2021, 2024 Oleg Pykhalov <go.wigust@gmail.com>
 ;;; Copyright © 2020 Peng Mei Yu <i@pengmeiyu.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -26,6 +26,7 @@ (define-module (gnu services nix)
   #:use-module (gnu services shepherd)
   #:use-module (gnu services web)
   #:use-module (gnu services)
+  #:use-module (gnu system file-systems)
   #:use-module (gnu system shadow)
   #:use-module (guix gexp)
   #:use-module (guix packages)
@@ -129,6 +130,20 @@ (define nix-service-etc
                                     '#$build-sandbox-items))
                     (for-each (cut display <>) '#$extra-config)))))))))))
 
+(define %nix-store-directory
+  "/nix/store")
+
+(define %immutable-nix-store
+  ;; Read-only store to avoid users or daemons accidentally modifying it.
+  ;; 'nix-daemon' has provisions to remount it read-write in its own name
+  ;; space.
+  (list (file-system
+          (device %nix-store-directory)
+          (mount-point %nix-store-directory)
+          (type "none")
+          (check? #f)
+          (flags '(read-only bind-mount)))))
+
 (define nix-shepherd-service
   ;; Return a <shepherd-service> for Nix.
   (match-lambda
@@ -137,7 +152,7 @@ (define nix-shepherd-service
       (shepherd-service
        (provision '(nix-daemon))
        (documentation "Run nix-daemon.")
-       (requirement '())
+       (requirement '(user-processes file-system-/nix/store))
        (start #~(make-forkexec-constructor
                  (list (string-append #$package "/bin/nix-daemon")
                        #$@extra-options)
@@ -156,7 +171,9 @@ (define nix-service-type
           (service-extension activation-service-type nix-activation)
           (service-extension etc-service-type nix-service-etc)
           (service-extension profile-service-type
-                             (compose list nix-configuration-package))))
+                             (compose list nix-configuration-package))
+          (service-extension file-system-service-type
+                             (const %immutable-nix-store))))
    (description "Run the Nix daemon.")
    (default-value (nix-configuration))))
 

base-commit: dd03be186adb64bdb77265dfd0ad53fe50ec016e
-- 
2.41.0





From debbugs-submit-bounces@debbugs.gnu.org Sun May 26 21:33:38 2024
Received: (at 71071) by debbugs.gnu.org; 27 May 2024 01:33:38 +0000
Received: from localhost ([127.0.0.1]:42768 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1sBPF3-0006PA-JQ
	for submit@debbugs.gnu.org; Sun, 26 May 2024 21:33:37 -0400
Received: from mail-qv1-f51.google.com ([209.85.219.51]:44422)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>) id 1sBPF0-0006Om-V0
 for 71071@debbugs.gnu.org; Sun, 26 May 2024 21:33:35 -0400
Received: by mail-qv1-f51.google.com with SMTP id
 6a1803df08f44-6ab9d00f727so15302846d6.1
 for <71071@debbugs.gnu.org>; Sun, 26 May 2024 18:33:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1716773541; x=1717378341; darn=debbugs.gnu.org;
 h=content-transfer-encoding:mime-version:user-agent:message-id:date
 :references:in-reply-to:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=CYZ+WMXtMglG61lVcueF2U5Wf65dEsTCepWl0FpyHOo=;
 b=hoo3R1g0JNuQq3pO82ZPuiYLVHh3TSzPqc8f+ztha2qm70aShTOk0gjUpiiCJscB/T
 c/fhea/Mg25jBbWZHV/lBG8pn2BrPskts4NVA+9DEoU44AivFrLomxW9rfefsOAiAZB5
 ToBnq56AwqLv+mJl7nV0cPlrRc2q2dGc38SDUbpYmPSul6IR92C1ZJ2nfUBooqPHZb3H
 9ELtCogdB4nonNZ9x+O2Lx/2ahkwUgWDhEcLChI4gWiVDhmWDU2tHHj8euDhmlJFJLEE
 Mw6GK4Z+VrJsCOlXGq1FcQ+QojP35hsruC2uf+iAUOpRHtOAJ/MXC+cWc4nsQhpclw+Y
 c/gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1716773541; x=1717378341;
 h=content-transfer-encoding:mime-version:user-agent:message-id:date
 :references:in-reply-to:subject:cc:to:from:x-gm-message-state:from
 :to:cc:subject:date:message-id:reply-to;
 bh=CYZ+WMXtMglG61lVcueF2U5Wf65dEsTCepWl0FpyHOo=;
 b=Te4X7hDNBxRRiFSVwhHe+MqiVZj+W0QL6sakO0QzyUAKh5wUYdg0dr0Xdf4R3J1TiW
 Fv5XoVZJw9lQ9/xdB8Q1zSOJYNJ9G9mjTek8CHdrcLNWE26E3mb2hmyhx2P0/UqBniNp
 MNNRAGeBL4/qtBUqv75Z4U9h9TJXLR9IV3yUs/D//tUx0mUwuAH1tEGtJhibkB7ts+j9
 i2/cf7oxc9LY7YcfhgJkxFwMlmEaQp0LH7cbXixdciBKvsAMEnRsSQyk1lZgyQJkNlE+
 e7IfMUP11BMCuBOM2R0BBQwQU+BZ12pB3EjlXVTq7YHHyEqgHW8Sk9I9b1BmCSUx9ND/
 Sq3g==
X-Gm-Message-State: AOJu0YyuU8+QKXMskECezodY5Hze4ZT77qTnVv+rWfudYnXs9E4GMP3B
 /vzRVCcf7TmcxwJ1nZZiXL3nYyAf+IkICwomJwjVtKAb2RrN4Amk
X-Google-Smtp-Source: AGHT+IFnVbuxH98RF1TplT7LhymM/CW5NfiwYdIYs8YUnZ+r2mj0X0YDyAbH6orPahXHwNbSMn6VkA==
X-Received: by 2002:a05:6214:2b9a:b0:6a3:5d84:e0a8 with SMTP id
 6a1803df08f44-6abbbc5e9femr94307306d6.9.1716773540763; 
 Sun, 26 May 2024 18:32:20 -0700 (PDT)
Received: from hurd (dsl-153-139.b2b2c.ca. [66.158.153.139])
 by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6ad701d4312sm17014416d6.124.2024.05.26.18.32.19
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 26 May 2024 18:32:20 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Oleg Pykhalov <go.wigust@gmail.com>
Subject: Re: [bug#71071] [PATCH] services: nix: Mount Nix store read only.
In-Reply-To: <13d78de1d27742605cf51fc0ed91b832cb5027c9.1716439103.git.go.wigust@gmail.com>
 (Oleg Pykhalov's message of "Thu, 23 May 2024 07:38:23 +0300")
References: <87ttipdf5n.fsf@gnu.org>
 <13d78de1d27742605cf51fc0ed91b832cb5027c9.1716439103.git.go.wigust@gmail.com>
Date: Sun, 26 May 2024 21:32:18 -0400
Message-ID: <87jzjgghul.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 71071
Cc: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>, 71071@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Oleg,

Oleg Pykhalov <go.wigust@gmail.com> writes:

> * gnu/services/nix.scm (nix-shepherd-service): Add requirements.
> (%nix-store-directory): New variable.
> (nix-service-type): Add file-system-service-type extension.
>
> Change-Id: I73c54ab8699a54be33fac6732d919c4844d1daa4

Nitpick: The Change-Id value shouldn't change between revisions of a
change (so it should eb the same as in v1, which was
I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49).

> ---
>  gnu/services/nix.scm | 23 ++++++++++++++++++++---
>  1 file changed, 20 insertions(+), 3 deletions(-)
>
> diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm
> index 82853253f6..419e5968fe 100644
> --- a/gnu/services/nix.scm
> +++ b/gnu/services/nix.scm
> @@ -1,5 +1,5 @@
>  ;;; GNU Guix --- Functional package management for GNU
> -;;; Copyright =C2=A9 2019, 2020, 2021 Oleg Pykhalov <go.wigust@gmail.com>
> +;;; Copyright =C2=A9 2019, 2020, 2021, 2024 Oleg Pykhalov <go.wigust@gma=
il.com>
>  ;;; Copyright =C2=A9 2020 Peng Mei Yu <i@pengmeiyu.com>
>  ;;;
>  ;;; This file is part of GNU Guix.
> @@ -26,6 +26,7 @@ (define-module (gnu services nix)
>    #:use-module (gnu services shepherd)
>    #:use-module (gnu services web)
>    #:use-module (gnu services)
> +  #:use-module (gnu system file-systems)
>    #:use-module (gnu system shadow)
>    #:use-module (guix gexp)
>    #:use-module (guix packages)
> @@ -129,6 +130,20 @@ (define nix-service-etc
>                                      '#$build-sandbox-items))
>                      (for-each (cut display <>) '#$extra-config)))))))))))
>=20=20
> +(define %nix-store-directory
> +  "/nix/store")
> +
> +(define %immutable-nix-store
> +  ;; Read-only store to avoid users or daemons accidentally modifying it.
> +  ;; 'nix-daemon' has provisions to remount it read-write in its own name
> +  ;; space.
> +  (list (file-system
> +          (device %nix-store-directory)
> +          (mount-point %nix-store-directory)
> +          (type "none")
> +          (check? #f)
> +          (flags '(read-only bind-mount)))))
> +
>  (define nix-shepherd-service
>    ;; Return a <shepherd-service> for Nix.
>    (match-lambda
> @@ -137,7 +152,7 @@ (define nix-shepherd-service
>        (shepherd-service
>         (provision '(nix-daemon))
>         (documentation "Run nix-daemon.")
> -       (requirement '())
> +       (requirement '(user-processes file-system-/nix/store))
>         (start #~(make-forkexec-constructor
>                   (list (string-append #$package "/bin/nix-daemon")
>                         #$@extra-options)
> @@ -156,7 +171,9 @@ (define nix-service-type
>            (service-extension activation-service-type nix-activation)
>            (service-extension etc-service-type nix-service-etc)
>            (service-extension profile-service-type
> -                             (compose list nix-configuration-package))))
> +                             (compose list nix-configuration-package))
> +          (service-extension file-system-service-type
> +                             (const %immutable-nix-store))))
>     (description "Run the Nix daemon.")
>     (default-value (nix-configuration))))

This LGTM, thanks to Ludo for suggesting this nice improvement in v2.

--=20
Thanks,
Maxim




From debbugs-submit-bounces@debbugs.gnu.org Tue May 28 23:33:58 2024
Received: (at 71071-done) by debbugs.gnu.org; 29 May 2024 03:33:58 +0000
Received: from localhost ([127.0.0.1]:42760 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1sCA4b-0001vy-Bq
	for submit@debbugs.gnu.org; Tue, 28 May 2024 23:33:57 -0400
Received: from mail-lf1-f51.google.com ([209.85.167.51]:39271)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <go.wigust@gmail.com>) id 1sCA4Z-0001vb-Kh
 for 71071-done@debbugs.gnu.org; Tue, 28 May 2024 23:33:56 -0400
Received: by mail-lf1-f51.google.com with SMTP id
 2adb3069b0e04-5238b2ad2f6so236316e87.1
 for <71071-done@debbugs.gnu.org>; Tue, 28 May 2024 20:33:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1716953559; x=1717558359; darn=debbugs.gnu.org;
 h=mime-version:user-agent:message-id:date:references:in-reply-to
 :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=GAeyKbNbqRvk2km7ewZo3ruGBQm9pMqjSlOzNBi3kQM=;
 b=EDTH/2gEdGyc/oQmiObL8OjRvXhnghaAPONjVeqS4xWJY5RGdUNFSJOKXjiR9mnqOw
 DHbYrLY3CrA1AiFxm779gaWC7e/HON3jNw1FtBjJ/a8lpajp+yjpOf7QpPKLMAYTOtX0
 NjnVCYhrGPocjdj0BGmSEK70lGzeFv0Emj2KMcNtlTXgqyShwimbSlgpDBhJCNTvGpfv
 KhgLRjDARh100bpguhir4FgCAZk9NWCDLHK0RowU1HLvxfk4mEw3l3Zz/CV78tT5zZbx
 YkH1gPc0Z111oSiMBDmdXdLHBPt4EsDkaHDK93Nx3aa8Qni4EfKZKCgAGUXEAh6ooAkg
 t0KA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1716953559; x=1717558359;
 h=mime-version:user-agent:message-id:date:references:in-reply-to
 :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date
 :message-id:reply-to;
 bh=GAeyKbNbqRvk2km7ewZo3ruGBQm9pMqjSlOzNBi3kQM=;
 b=EV0qIFSGpVW4IIE0fF/jPZAwH+tMN/sP/M6FAhBbuWkuxmUYRyhWID9Ombv2CStiWG
 Bv1JJCh4uYBOBL2Xso714nTW1SVgZZXdfmDKGu/pjC/EZAy3m1LBpbzNf7RpJjkVHEh3
 beGjKfQg6AX97qdfX6jR/QuEsxDoTCHHXa2SahvyZUqk2WqywgrxKyiTAyopFUfRXiHB
 3Df7/GcgilIs9FO0WVdqx5aVqH1Su7ntzBA0WD9oLKclE6T7Q6QWYYpMreQKM5JfdQJR
 iGpa7G0L8k4xtuesU9TSMO911CHBLPkoF2VkpHpNNRdoPDQJe0J40FxjbdsKrf0UZ1v9
 hJfg==
X-Gm-Message-State: AOJu0YynKJrIaG5ovMhMOPzignKUqE3aqDrYZeI+2sigQkgE/eKExJEg
 p43pHT2QfNuSWzthby88Bd5fiP/5FdVnqi+zDOOCD49pDQUkvwcRavsy/w==
X-Google-Smtp-Source: AGHT+IFyq2jFoz4OWTlXsFoeRA7KnkDGtglVshhBaJSWEm82hT30uJfo84AAj05TDgtqZT0EBeauLA==
X-Received: by 2002:a05:6512:3ba4:b0:516:c241:a912 with SMTP id
 2adb3069b0e04-529645e23b2mr10720401e87.1.1716953558864; 
 Tue, 28 May 2024 20:32:38 -0700 (PDT)
Received: from localhost ([93.100.15.190]) by smtp.gmail.com with ESMTPSA id
 2adb3069b0e04-529b6c5cffcsm618067e87.143.2024.05.28.20.32.38
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 28 May 2024 20:32:38 -0700 (PDT)
From: Oleg Pykhalov <go.wigust@gmail.com>
To: 71071-done@debbugs.gnu.org
Subject: Re: [bug#71071] [PATCH] services: nix: Mount Nix store read only.
In-Reply-To: <87jzjgghul.fsf@gmail.com> (Maxim Cournoyer's message of "Sun, 26
 May 2024 21:32:18 -0400")
References: <87ttipdf5n.fsf@gnu.org>
 <13d78de1d27742605cf51fc0ed91b832cb5027c9.1716439103.git.go.wigust@gmail.com>
 <87jzjgghul.fsf@gmail.com>
Date: Wed, 29 May 2024 06:32:37 +0300
Message-ID: <87ed9l1eei.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 71071-done
Cc: Ludovic =?utf-8?Q?Court?= =?utf-8?Q?=C3=A8s?= <ludo@gnu.org>,
 Maxim Cournoyer <maxim.cournoyer@gmail.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello Maxim and Ludovic.

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

>> * gnu/services/nix.scm (nix-shepherd-service): Add requirements.
>> (%nix-store-directory): New variable.
>> (nix-service-type): Add file-system-service-type extension.
>>
>> Change-Id: I73c54ab8699a54be33fac6732d919c4844d1daa4
>
> Nitpick: The Change-Id value shouldn't change between revisions of a
> change (so it should eb the same as in v1, which was
> I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49).

Oh, I wasn't aware of that. Thanks for pointing it out. I've updated the
Change-Id and pushed the commit as
797be0ea5c3703ad96acd32c98dca5f946cf5c95.

[=E2=80=A6]

> This LGTM, thanks to Ludo for suggesting this nice improvement in v2.

Yes, thanks for the suggestions. All of them have been implemented.


Regards,
Oleg.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEcjhxI46s62NFSFhXFn+OpQAa+pwFAmZWodUUHGdvLndpZ3Vz
dEBnbWFpbC5jb20ACgkQFn+OpQAa+pw7qQ/9G0O/iZbAVln2G65vfH0DpcC9j7fm
7ctNcVXysPu8Hr5jSKFma5hQeGN62EdrU5cWNJI0nHGkwRGdEIKV0K5upywa5G2K
qClLKFMTZv0D/lrw6dRhb/BG6fahllLScqpnj5wwpFokN0XYNve+WbibsHOXzyw9
V6WT3rOBxzTFsVI9emQ3x6vBf3yTfoI6NgwowSZkVlxfN89QUo46Qr5tdoQf/enq
zyDtWxGaMBJOpTosgwjHjOyXh9arvBLGhXjcLtAFif7ofse2obqKL459CW9vfV71
d8slMOyhOfvfIMd9IP+YNO8+LIesEBNHmo0CUsR4r6P9ykbqOwt5nEJaS49U6PIl
HTe9Y2N5hKfO+1CBduFNa1eW/XO76ZknXdBN15dU9y76VKN4lXbYL9a27ROth+rD
fBkfNVYT0sihm4YyD5tSGxy7NrJfKyP+DSan3wtUwaivJEdw0IzkjGMyj5Tp8WI5
zs0aMk4r3oRYXykR9y5YlbhKoA+B/Uww5FzOPNj/RwB4gybgLvM0M/TuGudg41PF
I+xsbvf0HJpu9HWBsm+vCuo3aOAbVr5LWNkogE95UEZDHklk2WxVoD8y9lkJSgNN
I/e4YXIBpjI7RHOcc5I8zgnTnPv/b69zGlBzrVJq7A7RkFH8SVZHWr+W0hwkyHDG
UtgrGgu/8VNZ+uw=
=skQT
-----END PGP SIGNATURE-----
--=-=-=--




From unknown Fri Jun 20 07:09:43 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Wed, 26 Jun 2024 11:24:12 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator