[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Support for signed substitutes pushed
From: |
Ludovic Courtès |
Subject: |
Support for signed substitutes pushed |
Date: |
Sun, 30 Mar 2014 23:54:10 +0200 |
User-agent: |
Gnus/5.130007 (Ma Gnus v0.7) Emacs/24.3 (gnu/linux) |
I just pushed support for signed substitutes (which is
wip-signed-archives plus many tests, documentation, and some
improvements) in ‘master’.
From now on, ‘guix substitute-binary’ automatically authenticates
substitutes, and ignores those not signed by an authorized public key.
By default, no key is authorized.
On my machine, ‘guix build emacs n’ with 40 substitutes needed takes
~4.8 seconds instead of ~3.5 seconds before (wall clock.) There’s
probably room for improvement, but there’s also the fact that it has to
check all these signatures.
Please run ‘make check’, try it, and report any problems. Note that
commit bf59c06 adds the public key used to sign substitutes from
hydra.gnu.org. This commit is GPG-signed by me, like this message.
It’s a 4096-bit RSA key (RSA, not Curve25519, so that users of
libgcrypt < 1.6 can use it too):
(public-key
(rsa
(n
#00DB1634E3D9DFAC97AE4734DAE968CCB15EE4815C82BDC254883DBB49FE1EF32268E82D4BBE0E35298C481C9DA1551642FAFF05AEC1A60712F1BB4BE7D25D7EFF7A4F89704A5A9AC232870CB9F2476C3B538A0E990A8825DEB73081D317001FB8A188600F2FEF5F5F570E857F3EE4355077A3C3918ED72723A56BA55C466D400658974D7DAD1F6B7B63C192B9C2704D98BBFF1C3BD5B8EF11A8ADC83ACB8FD8E9F1E792FDAD262415D13F2DEE55F330908CFDA9C3C8C32B64F7DD088457D34F445E2E2C83C6D680549DC9B6E6573B89496567204ED285E67A279F2F667080BA941D80D015CE87B0FB6A91A99CECC7D91D2D210B00E4B6E611DA51DB008F1DFE3FCAC6B27393FA781D45F9A15FC7B8785A3E86BA6592B2916CA22CF1E40FC85F85CACA590461154F58F3580B16398908EF32076F411299C28727C94D88B6A618F84DD73AEBED8270BCB6690928CB1BF250C35E1F6BF3B1B30D05BA246ECE8F69D9065DE26F4B3E0D814D70A9C27CB5B7B050C9090590D3A9EF83374F2643E5446FBD39DDB124DBF6DFDAA6D18E2560AD0CBFA11C959C9B7316BF19963A191967054E9FD97DC14D71082B30B1C90A46E8996682474C3BCB51BA0882958897B6DD35E41B5174D0A6BCDE97B89043E95BD1B70DE61DA666893B417196A180005466BC3A742FDF04E89B04460E3E6BC72E7F1B5FEA5B3092FEE551A3C447C12E104E65#)
(e #010001#)
)
)
I would very much welcome review and feedback. The documentation
(appended below) and tests provide a good starting point.
Thanks again to Nikita for all the good work!
Ludo’.
3.3 Substitutes
===============
Guix supports transparent source/binary deployment, which means that it
can either build things locally, or download pre-built items from a
server. We call these pre-built items "substitutes"—they are
substitutes for local build results. In many cases, downloading a
substitute is much faster than building things locally.
Substitutes can be anything resulting from a derivation build (*note
Derivations::). Of course, in the common case, they are pre-built
package binaries, but source tarballs, for instance, which also result
From derivation builds, can be available as substitutes.
The ‘hydra.gnu.org’ server is a front-end to a build farm that builds
packages from the GNU distribution continuously for some architectures,
and makes them available as substitutes.
To allow Guix to download substitutes from ‘hydra.gnu.org’, you must
add its public key to the access control list (ACL) of archive imports,
using the ‘guix archive’ command (*note Invoking guix archive::). Doing
so implies that you trust ‘hydra.gnu.org’ to not be compromised and to
serve genuine substitutes.
This public key is installed along with Guix, in
‘PREFIX/share/guix/hydra.gnu.org.pub’, where PREFIX is the installation
prefix of Guix. If you installed Guix from source, make sure you
checked the GPG signature of ‘guix-0.6.tar.gz’, which contains this
public key file. Then, you can run something like this:
# guix archive --authorize < hydra.gnu.org.pub
Once this is in place, the output of a command like ‘guix build’
should change from something like:
$ guix build emacs --dry-run
The following derivations would be built:
/gnu/store/yr7bnx8xwcayd6j95r2clmkdl1qh688w-emacs-24.3.drv
/gnu/store/x8qsh1hlhgjx6cwsjyvybnfv2i37z23w-dbus-1.6.4.tar.gz.drv
/gnu/store/1ixwp12fl950d15h2cj11c73733jay0z-alsa-lib-1.0.27.1.tar.bz2.drv
/gnu/store/nlma1pw0p603fpfiqy7kn4zm105r5dmw-util-linux-2.21.drv
…
to something like:
$ guix build emacs --dry-run
The following files would be downloaded:
/gnu/store/pk3n22lbq6ydamyymqkkz7i69wiwjiwi-emacs-24.3
/gnu/store/2ygn4ncnhrpr61rssa6z0d9x22si0va3-libjpeg-8d
/gnu/store/71yz6lgx4dazma9dwn2mcjxaah9w77jq-cairo-1.12.16
/gnu/store/7zdhgp0n1518lvfn8mb96sxqfmvqrl7v-libxrender-0.9.7
…
This indicates that substitutes from ‘hydra.gnu.org’ are usable and will
be downloaded, when possible, for future builds.
Guix ignores substitutes that are not signed, or that are not signed
by one of the keys listed in the ACL. It also detects and raise an error
when attempting to use a substitute that has been tampered with.
The substitute mechanism can be disabled globally by running
‘guix-daemon’ with ‘--no-substitutes’ (*note Invoking guix-daemon::).
It can also be disabled temporarily by passing the ‘--no-substitutes’
option to ‘guix package’, ‘guix build’, and other command-line tools.
Today, each individual’s control over their own computing is at the
mercy of institutions, corporations, and groups with enough power and
determination to subvert the computing infrastructure and exploit its
weaknesses. While using ‘hydra.gnu.org’ substitutes can be convenient,
we encourage users to also build on their own, or even run their own
build farm, such that ‘hydra.gnu.org’ is less of an interesting target.
Guix has the foundations to maximize build reproducibility (*note
Features::). In most cases, independent builds of a given package or
derivation should yield bit-identical results. Thus, through a diverse
set of independent package builds, we can strengthen the integrity of
our systems.
In the future, we want Guix to have support to publish and retrieve
binaries to/from other users, in a peer-to-peer fashion. If you would
like to discuss this project, join us on <address@hidden>.
pgp64UcZPu7_p.pgp
Description: PGP signature