guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

09/11: pull: Add '--disable-authentication'.


From: guix-commits
Subject: 09/11: pull: Add '--disable-authentication'.
Date: Tue, 16 Jun 2020 10:16:12 -0400 (EDT)

civodul pushed a commit to branch master
in repository guix.

commit a9eeeaa6aeeafb817df3aad22a4b85205ac3ec13
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Mon Jun 8 23:22:17 2020 +0200

    pull: Add '--disable-authentication'.
    
    * guix/channels.scm (latest-channel-instance): Add #:authenticate? and
    honor it.
    (latest-channel-instances): Likewise.
    * guix/scripts/pull.scm (%default-options): Add 'authenticate-channels?'.
    (show-help, %options): Add '--disable-authentication'.
    (guix-pull): Pass #:authenticate? to 'latest-channel-instances'.
    * doc/guix.texi (Invoking guix pull): Document it.
---
 doc/guix.texi         | 14 ++++++++++++++
 guix/channels.scm     | 25 +++++++++++++++++--------
 guix/scripts/pull.scm | 14 ++++++++++++--
 3 files changed, 43 insertions(+), 10 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index dd62681..6c59db3 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -3929,6 +3929,20 @@ Make sure you understand its security implications 
before using
 @option{--allow-downgrades}.
 @end quotation
 
+@item --disable-authentication
+Allow pulling channel code without authenticating it.
+
+@cindex authentication, of channel code
+By default, @command{guix pull} authenticates code downloaded from
+channels by verifying that its commits are signed by authorized
+developers, and raises an error if this is not the case.  This option
+instructs it to not perform any such verification.
+
+@quotation Note
+Make sure you understand its security implications before using
+@option{--disable-authentication}.
+@end quotation
+
 @item --system=@var{system}
 @itemx -s @var{system}
 Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of
diff --git a/guix/channels.scm b/guix/channels.scm
index a82bd34..5a83d83 100644
--- a/guix/channels.scm
+++ b/guix/channels.scm
@@ -390,11 +390,12 @@ commits ~a to ~a (~h new commits)...~%")
 (define* (latest-channel-instance store channel
                                   #:key (patches %patches)
                                   starting-commit
+                                  (authenticate? #f)
                                   (validate-pull
                                    ensure-forward-channel-update))
   "Return the latest channel instance for CHANNEL.  When STARTING-COMMIT is
 true, call VALIDATE-PULL with CHANNEL, STARTING-COMMIT, the target commit, and
-their relation."
+their relation.  When AUTHENTICATE? is false, CHANNEL is not authenticated."
   (define (dot-git? file stat)
     (and (string=? (basename file) ".git")
          (eq? 'directory (stat:type stat))))
@@ -408,14 +409,16 @@ their relation."
     (when relation
       (validate-pull channel starting-commit commit relation))
 
-    (if (channel-introduction channel)
-        (authenticate-channel channel checkout commit)
-        ;; TODO: Warn for all the channels once the authentication interface
-        ;; is public.
-        (when (guix-channel? channel)
-          (warning (G_ "channel '~a' lacks an introduction and \
+    (if authenticate?
+        (if (channel-introduction channel)
+            (authenticate-channel channel checkout commit)
+            ;; TODO: Warn for all the channels once the authentication 
interface
+            ;; is public.
+            (when (guix-channel? channel)
+              (warning (G_ "channel '~a' lacks an introduction and \
 cannot be authenticated~%")
-                   (channel-name channel))))
+                       (channel-name channel))))
+        (warning (G_ "channel authentication disabled~%")))
 
     (when (guix-channel? channel)
       ;; Apply the relevant subset of PATCHES directly in CHECKOUT.  This is
@@ -463,11 +466,15 @@ allow non-forward updates."))))))))))
 (define* (latest-channel-instances store channels
                                    #:key
                                    (current-channels '())
+                                   (authenticate? #t)
                                    (validate-pull
                                     ensure-forward-channel-update))
   "Return a list of channel instances corresponding to the latest checkouts of
 CHANNELS and the channels on which they depend.
 
+When AUTHENTICATE? is true, authenticate the subset of CHANNELS that has a
+\"channel introduction\".
+
 CURRENT-CHANNELS is the list of currently used channels.  It is compared
 against the newly-fetched instances of CHANNELS, and VALIDATE-PULL is called
 for each channel update and can choose to emit warnings or raise an error,
@@ -505,6 +512,8 @@ depending on the policy it implements."
                      (let* ((current (current-commit (channel-name channel)))
                             (instance
                              (latest-channel-instance store channel
+                                                      #:authenticate?
+                                                      authenticate?
                                                       #:validate-pull
                                                       validate-pull
                                                       #:starting-commit
diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm
index d3d0d2b..f953957 100644
--- a/guix/scripts/pull.scm
+++ b/guix/scripts/pull.scm
@@ -82,6 +82,7 @@
     (graft? . #t)
     (debug . 0)
     (verbosity . 1)
+    (authenticate-channels? . #t)
     (validate-pull . ,ensure-forward-channel-update)))
 
 (define (show-help)
@@ -98,6 +99,9 @@ Download and deploy the latest version of Guix.\n"))
   (display (G_ "
       --allow-downgrades allow downgrades to earlier channel revisions"))
   (display (G_ "
+      --disable-authentication
+                         disable channel authentication"))
+  (display (G_ "
   -N, --news             display news compared to the previous generation"))
   (display (G_ "
   -l, --list-generations[=PATTERN]
@@ -165,6 +169,9 @@ Download and deploy the latest version of Guix.\n"))
                  (lambda (opt name arg result)
                    (alist-cons 'validate-pull warn-about-backward-updates
                                result)))
+         (option '("disable-authentication") #f #f
+                 (lambda (opt name arg result)
+                   (alist-cons 'authenticate-channels? #f result)))
          (option '(#\p "profile") #t #f
                  (lambda (opt name arg result)
                    (alist-cons 'profile (canonicalize-profile arg)
@@ -771,7 +778,8 @@ Use '~/.config/guix/channels.scm' instead."))
             (channels     (channel-list opts))
             (profile      (or (assoc-ref opts 'profile) %current-profile))
             (current-channels (profile-channels profile))
-            (validate-pull    (assoc-ref opts 'validate-pull)))
+            (validate-pull    (assoc-ref opts 'validate-pull))
+            (authenticate?    (assoc-ref opts 'authenticate-channels?)))
        (cond ((assoc-ref opts 'query)
               (process-query opts profile))
              ((assoc-ref opts 'generation)
@@ -793,7 +801,9 @@ Use '~/.config/guix/channels.scm' instead."))
                                                        #:current-channels
                                                        current-channels
                                                        #:validate-pull
-                                                       validate-pull)))
+                                                       validate-pull
+                                                       #:authenticate?
+                                                       authenticate?)))
                         (format (current-error-port)
                                 (N_ "Building from this channel:~%"
                                     "Building from these channels:~%"



reply via email to

[Prev in Thread] Current Thread [Next in Thread]