[bug#77288,6/6] DRAFT news: Add entry about unprivileged guix-daemon on Guix System.
| Message ID | 2f0e31d6674693e0b785724283cd494dd11fa0f9.1743007256.git.ludo@gnu.org |
|---|---|
| State | New |
| Headers |
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 114CB27BBEA; Wed, 26 Mar 2025 16:52:29 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id C462727BBE9 for <patchwork@mira.cbaines.net>; Wed, 26 Mar 2025 16:52:28 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <guix-patches-bounces@gnu.org>) id 1txTzI-00049L-5n; Wed, 26 Mar 2025 12:52:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1txTz9-00045Q-Rr for guix-patches@gnu.org; Wed, 26 Mar 2025 12:52:12 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1txTz2-0007WK-4L for guix-patches@gnu.org; Wed, 26 Mar 2025 12:52:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=LrIFOEsQySI3Oe8HQ/hFoGK6VvBjDCeJDCpRfvTGvV8=; b=eMPTecGMp8Y3CuihutheTn+PjpqiKpBx8IiYRs6K7zi13W0D2jmht/Ikq1aL16z13AOf2FS/7kUJd2sGXCteUbf6W2Apv2PwEPKJpXyLHb2YSPY6nseH6iRj1AEe2o3Y/2rCnhMOzqt5pO3YsFvJBaXmPhW+w+u3wfkHax6Q/aBOUFtqvN+0K6l2XOkQPQQbxDZywlCd/Epg7LB7HTFMBWj0JnkV0MQfkQiwNGT/jfDFfZalbWfHyRSV9qftVexeHYUS/hX7//Gbpw4LERxbScgdlwYEkWRZM+9EfdHEaThZj7zUP2yvSutGpbrcUNPaVV3sP9H5Xqh+lMnM26YOGA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1txTz1-0000bD-Bb; Wed, 26 Mar 2025 12:52:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH 6/6] DRAFT news: Add entry about unprivileged guix-daemon on Guix System. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: pelzflorian@pelzflorian.de, julien@lepiller.eu, guix-patches@gnu.org Resent-Date: Wed, 26 Mar 2025 16:52:03 +0000 Resent-Message-ID: <handler.77288.B77288.17430079102237@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>, Florian Pelz <pelzflorian@pelzflorian.de>, Julien Lepiller <julien@lepiller.eu> X-Debbugs-Original-Xcc: Florian Pelz <pelzflorian@pelzflorian.de>, Julien Lepiller <julien@lepiller.eu> Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.17430079102237 (code B ref 77288); Wed, 26 Mar 2025 16:52:03 +0000 Received: (at 77288) by debbugs.gnu.org; 26 Mar 2025 16:51:50 +0000 Received: from localhost ([127.0.0.1]:44149 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>) id 1txTyk-0000Zn-37 for submit@debbugs.gnu.org; Wed, 26 Mar 2025 12:51:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58074) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <ludo@gnu.org>) id 1txTyY-0000Ya-Hj for 77288@debbugs.gnu.org; Wed, 26 Mar 2025 12:51:34 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1txTyT-0007Lp-19; Wed, 26 Mar 2025 12:51:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=LrIFOEsQySI3Oe8HQ/hFoGK6VvBjDCeJDCpRfvTGvV8=; b=S/qyUSFkB+P3knZWfXHd TTnDWt89dEQClTw0+qrRT2DarbzhPoUvepSKam8lDoKvtIEKmVU+iy/+1KeJkyGO3jHshloHI0XDZ OwtI2gB1WRUC3nd1a7O4AtvAAiX8CGp1CkL5TGAxn1YS0Ji+dpAWocCNJQ7f92mA0siJR5HBTiSzP /VmaWhTK64L+oSDOxHzfLK0XZfBQccFZBtaJImyvgmvkI5xZYZcQZHUPMHla+bzzrVs7bajXCE9Jg d0/GX9Y4fSTHBnPolQ5bubc4a5P8BV6xXCzxh40N+UNPUqGYEUqqBn5irW+NotyMu2mOpG0w01nHh EvVY7iirj+kgDQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> Date: Wed, 26 Mar 2025 17:51:07 +0100 Message-ID: <2f0e31d6674693e0b785724283cd494dd11fa0f9.1743007256.git.ludo@gnu.org> X-Mailer: git-send-email 2.49.0 In-Reply-To: <cover.1743007256.git.ludo@gnu.org> References: <cover.1743007256.git.ludo@gnu.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: <guix-patches.gnu.org> List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=unsubscribe> List-Archive: <https://lists.gnu.org/archive/html/guix-patches> List-Post: <mailto:guix-patches@gnu.org> List-Help: <mailto:guix-patches-request@gnu.org?subject=help> List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=subscribe> Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches |
| Series |
Rootless guix-daemon on Guix System
|
|
Commit Message
Ludovic Courtès
March 26, 2025, 4:51 p.m. UTC
DRAFT: Temporary commit. * etc/news.scm: Add it. Change-Id: I28eae7f7b4305225b13281b99458cbedda3c3b94 --- etc/news.scm | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+)
Comments
Rootless daemon is an important change, though I have not tested yet... Ludovic Courtès <ludo@gnu.org> writes: > +Eventually running @command{guix-daemon} without root privileges may become > +the default."))) > + I dislike the word “may” in this last sentence. How about “likely will” or some such thing, even if we have not reviewed bugfreeness of Linux here? Can you tell foreign distro users about their rootless options in the news, too? Could you add this German translation? (entry (commit "XXX") (title (en "Guix System can run @command{guix-daemon} without root privileges") (de "Guix System kann @command{guix-daemon} ohne root-Berechtigungen ausführen")) (body (en "On Guix System, @code{guix-service-type} can now be configured to run the build daemon, @command{guix-daemon}, without root privileges. In that configuration, the daemon runs with the authority of the @code{guix-daemon} user, which we think can reduce the impact of some classes of vulnerabilities that could affect it. For now, this is opt-in: you have to change @code{guix-configuration} to set the @code{privileged?} field to @code{#f}. When you do this, all the files in @file{/gnu/store}, @file{/var/guix}, etc. will have their ownership changed to the @code{guix-daemon} user (instead of @code{root}); this can take a while, especially if the store is big. To learn more about it, run: @example info guix --index-search=guix-service-type @end example Eventually running @command{guix-daemon} without root privileges may become the default.") (de "Auf Guix System kann @code{guix-service-type} jetzt so konfiguriert werden, dass der Erstellungs-Daemon @command{guix-daemon} ohne root-Berechtigungen ausgeführt wird. In dieser Konfiguration läuft der Daemon mit den Berechtigungen des Benutzers @code{guix-daemon}, wovon wir glauben, dass es die Auswirkungen mancher Schwachstellen-Kategorien verringert, die ihn betreffen könnten. Fürs Erste bleibt es Ihnen überlassen: Sie müssen @code{guix-configuration} anpassen und dort das Feld @code{privileged?} auf @code{#f} setzen. Wenn Sie das tun, wird der Besitzer aller Dateien in @file{/gnu/store}, @file{/var/guix}, usw.@: auf den Benutzer @code{guix-daemon} geändert (anstelle von @code{root}); das kann eine Weile dauern, besonders wenn der Store groß ist. Um mehr zu erfahren, führen Sie aus: @example info guix --index-search=guix-service-type @end example Schließlich wird das Ausführen von @command{guix-daemon} ohne root-Berechtigungen vielleicht die Vorgabe werden."))) Regards, Florian
Hi Florian, "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis: > Rootless daemon is an important change, though I have not tested yet... > > Ludovic Courtès <ludo@gnu.org> writes: >> +Eventually running @command{guix-daemon} without root privileges may become >> +the default."))) >> + > > I dislike the word “may” in this last sentence. How about “likely > will” or some such thing, even if we have not reviewed bugfreeness of > Linux here? Sure; I view “may” and “likely will” as synonymous, but maybe there are subtleties that escape me. > Can you tell foreign distro users about their rootless options in the > news, too? This news item is specifically about Guix System (announced upfront), but I guess we can add a sentence toward the end. (Thing is, the situation will be simpler on foreign distros: we won’t support switching between privileged and unprivileged, so either you get one or the other.) Thanks for the comments and for the translation! Ludo’.
Hi Ludo. Ludovic Courtès <ludo@gnu.org> writes: > "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis: >> Ludovic Courtès <ludo@gnu.org> writes: >>> +Eventually running @command{guix-daemon} without root privileges may become >>> +the default."))) >>> + >> >> I dislike the word “may” in this last sentence. How about “likely >> will” or some such thing, even if we have not reviewed bugfreeness of >> Linux here? > > Sure; I view “may” and “likely will” as synonymous, but maybe there are > subtleties that escape me. > I had understood “likely” to be “probably”. With more thinking and Wiktionary reading, “likely” can also mean “plausibly”, though not in this context, I think. The word “may” you had used means “possibly”, which sounds indecisive/uncommitted and if even Guix does not know yet if rootless is a good idea, how should a news-reading user know? I thought you wrote it for this purpose, because distros had been wary of USERNS some time ago, or something. This is why I translated to German as „vielleicht” (maybe). Apparently some people want to banish the word “may” for its suppossed ambiguity; it can mean “possibly” and “have permission to”, according to Wiktionary. This subtlety is news to me; I think context makes clear what “may” means. But perhaps it really is better to use unambiguous adverbs, adjectives like “probably”. In case you write this “probably” or “likely”, I would translate in German as „wahrscheinlich” (probably). >> Can you tell foreign distro users about their rootless options in the >> news, too? > > This news item is specifically about Guix System (announced upfront), > but I guess we can add a sentence toward the end. (Thing is, the > situation will be simpler on foreign distros: we won’t support switching > between privileged and unprivileged, so either you get one or the > other.) > Yes, please! That sentence in parentheses explains the situation, but needs rewording for etc/news.scm of course. > Thanks for the comments and for the translation! > > Ludo’. :) I also now notice it is impossible to translate info guix --index-search=guix-service-type as info guix.de --index-search=guix-service-type although info guix.fr --index-search=guix-service-type works fine. No idea why; both texi files look the same here. But since the rootless documentation is not translated yet anyway, please leave info guix --index-search=guix-service-type Regards, Florian
diff --git a/etc/news.scm b/etc/news.scm index 4b3da44540..840f5cea53 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -37,6 +37,30 @@ (channel-news (version 0) + (entry (commit "XXX") + (title + (en "Guix System can run @command{guix-daemon} without root +privileges")) + (body + (en "On Guix System, @code{guix-service-type} can now be configured +to run the build daemon, @command{guix-daemon}, without root privileges. In +that configuration, the daemon runs with the authority of the +@code{guix-daemon} user, which we think can reduce the impact of some classes +of vulnerabilities that could affect it. + +For now, this is opt-in: you have to change @code{guix-configuration} to set +the @code{privileged?} field to @code{#f}. When you do this, all the files in +@file{/gnu/store}, @file{/var/guix}, etc. will have their ownership changed to +the @code{guix-daemon} user (instead of @code{root}); this can take a while, +especially if the store is big. To learn more about it, run: + +@example +info guix --index-search=guix-service-type +@end example + +Eventually running @command{guix-daemon} without root privileges may become +the default."))) + (entry (commit "0e51c6547ffdaf91777f7383da4a52a1a07b7286") (title (en "Incompatible upgrade of the Syncthing service"))