Re: [PATCH 2/2] scripts: Add 'publish' command.

[Ludovic Courtès]

David Thompson <address@hidden> skribis:

> From a40d47dc64571aade0c92b4bdf3c56f6870842cc Mon Sep 17 00:00:00 2001
> From: David Thompson <address@hidden>
> Date: Tue, 17 Mar 2015 10:21:31 -0400
> Subject: [PATCH 2/2] scripts: Add 'publish' command.
>
> * guix/scripts/publish.scm: New file.
> * po/guix/POTFILES.in: Add it.
> * tests/publish.scm: New file.
> * Makefile.am (MODULES): Add script module.
>   (SCM_TESTS): Add test module.
> * doc/guix.texi ("Invoking guix publish"): New node.

[...]

> address@hidden Invoking guix publish
> address@hidden Invoking @command{guix publish}
> +
> +The purpose of @command{guix publish} is to enable users to easily share
> +their store with others.  When @command{guix publish} runs, it spawns an
> +HTTP server which allows anyone with network access to obtain
> +substitutes from it.  This means that any machine running Guix can also
> +act as if it were a build farm, since the HTTP interface is
> +Hydra-compatible.  For security, each substitute is signed with the
> +system's signing key (@pxref{Invoking guix archive}).

I would skip a line after “Hydra-compatible,” and make it like:

  For security, each substitute is signed, allowing recipients to check
  their authenticity and integrity (@pxref{Substitutes}).  Because
  @command{guix publish} uses the system's signing key, which is only
  readable by the system administrator, it must run as root.

> address@hidden publish} is a tool for system administrators, so only the
> +root user may invoke it.

... so this sentence can be removed.

Note for later: it should drop privileges once the key has been read and
the port open.

> +Once a publishing server has been authorized (@pxref{Invoking guix archive}),
> +the Guix daemon may use it to download substitutes:

“the daemon may download substitutes from it:”

> +(define (read-file-sexp file)
> +  (call-with-input-file file
> +    (compose string->canonical-sexp
> +             get-string-all)))
> +
> +(define %private-key
> +  (read-file-sexp %private-key-file))
> +
> +(define %public-key
> +  (read-file-sexp %public-key-file))

Since this can throw, it should not be done at the top-level.  So it
should be wrapped it in ‘delay’ or in a thunk.

> +(define (narinfo-string store-path path-info key)

Docstring please.  :-)

> +(define (render-nar request store-item)
> +  "Render archive of the store path corresponding to STORE-ITEM."
> +  (let ((store-path (string-append %store-directory "/" store-item)))
> +    ;; The ISO-8859-1 charset *must* be used otherwise HTTP clients will
> +    ;; interpret the byte stream as UTF-8 and arbitrarily change invalid byte
> +    ;; sequences.
> +    (if (file-exists? store-path)
> +        (values '((content-type . (application/x-nix-archive
> +                                   (charset . "ISO-8859-1"))))
> +                (lambda (port)
> +                  (write-file store-path port)))
> +        (not-found request))))

This is OK for now, but I just realized that this will be blocking the
server for the duration of the whole transfer.  Someone could DoS you by
substituting TeX Live.  ;-)

We’ll need a solution but it seems that it’ll be hard to avoid threads.

Thoughts?

> +(define (guix-publish . args)
> +  (with-error-handling
> +    (let* ((opts (parse-command-line args %options (list %default-options)))

I had overlooked it but it should use plain ‘args-fold*’ instead of
‘parse-command-line’ (the latter handles $GUIX_BUILD_OPTIONS and ‘guix
publish’ doesn’t build anything.)

> +           (store (open-connection)))

Use (with-store store body ...) instead.

OK to push with these changes.

Thanks!

Ludo’.