From patchwork Fri Jan 31 18:32:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: 45mg <45mg.writes@gmail.com> X-Patchwork-Id: 38009 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 40E3227BBEA; Fri, 31 Jan 2025 18:35:48 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.6 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,DKIM_VALID,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL, RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 70F2E27BBE2 for ; Fri, 31 Jan 2025 18:35:47 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tdvrE-00031k-7Z; Fri, 31 Jan 2025 13:35:12 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tdvrA-00030P-Fm for guix-patches@gnu.org; Fri, 31 Jan 2025 13:35:08 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tdvr9-0006gH-Ba; Fri, 31 Jan 2025 13:35:07 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=Ik/j22rPHoO8kUzZyW4GUSELVTkFLR9aLXsM9m2EaK4=; b=IOdIwxcAfdcNsd9sfPTVUsJxw9YR7JFhp4Wqyy0CR6PtgQUME70pnOAcoceJCb+RlwKsl46FxVjqI/Yc6GNrfpqFPHMg6moHElMJ/PE3lDNPZoZH8LdZjPTf8WepToVOrg5XjHVpM6ffgPwx/dhS1jsfWbiziD+ysMIyy4t/DTpkyMWfsEwdw3TmCcUfom4CrZaZ7/1PserM0THYuqdFgK+Drr7jPvPQ7OdgPdm6a1IteM/ay1r1sABj3hDvzXL44TDpbdRKqvIzJmSPtJK1d06juRLoJXJpvd1IKVBhowc8+BsQSUs+7xLDID/QoGulm2uXrF6NMtPyJHzEHLHeGw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tdvr5-00060B-0J; Fri, 31 Jan 2025 13:35:03 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#75975] [PATCH (WIP) 2/4] Add 'guix fork authenticate'. Resent-From: 45mg <45mg.writes@gmail.com> Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org Resent-Date: Fri, 31 Jan 2025 18:35:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75975 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75975@debbugs.gnu.org Cc: 45mg <45mg.writes@gmail.com>, Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice Received: via spool by 75975-submit@debbugs.gnu.org id=B75975.173834849723041 (code B ref 75975); Fri, 31 Jan 2025 18:35:02 +0000 Received: (at 75975) by debbugs.gnu.org; 31 Jan 2025 18:34:57 +0000 Received: from localhost ([127.0.0.1]:54240 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tdvqy-0005zT-CK for submit@debbugs.gnu.org; Fri, 31 Jan 2025 13:34:57 -0500 Received: from mail-pl1-x644.google.com ([2607:f8b0:4864:20::644]:46517) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <45mg.writes@gmail.com>) id 1tdvqu-0005yx-Ms for 75975@debbugs.gnu.org; Fri, 31 Jan 2025 13:34:53 -0500 Received: by mail-pl1-x644.google.com with SMTP id d9443c01a7336-21649a7bcdcso42072065ad.1 for <75975@debbugs.gnu.org>; Fri, 31 Jan 2025 10:34:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1738348486; x=1738953286; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Ik/j22rPHoO8kUzZyW4GUSELVTkFLR9aLXsM9m2EaK4=; b=Pf8BZ0su4sW4MFZvcVw0MdJFrhfoT3rXXbdDH19+i6aR/MBFAh4oQP9Q7IOKJCDAjL blOcJdNCqa1JDSz3PeqcbvYE2CwKnBsGih5enwirtW7RZmD276bmadVqYuNO9dllQqIT +WxEX15x1MagOHt5iYtOBGG4fZ2yhw15PRZ06nSkyt0bGPLHAstm4AZRUrwshTpsuKUR pDa4KbN3DPD0s7UvHjssgLB8GcZLFHdNZM5U5HqDr12yd7c0SpnfH9e4kzmQiu23BRcr 1PHF33V/zGYjcP+171QWdHrB5nIDc5JNclWJaYtLLUwSSraZsvba2dbzyYMiIyf7qlV0 FdWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738348486; x=1738953286; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Ik/j22rPHoO8kUzZyW4GUSELVTkFLR9aLXsM9m2EaK4=; b=pVribzBqfnyB6qgeLPGuDYcriTHB95sRIVj9WjVPi7aab/4JwARdHeHrDFLCaJknFo 3bROGjPdUPQAmZpvVbKzwmTCASFWJYM0lIxQ/psIIevPrHEnfWaKUKrLX4W+AkaG8MR3 6ALCI+1UUEcdQXZj71uCQvUUPiFHc2LihxawnidLzRbNqyk7Hgwa0Vd9k5fGFl4oMeJU gOUYbeSWGkINJqFiwQ1gzjb25GLoMIOzBWoVAGq/vzx1KzhLHk8hUMED6KOBxU8hr94s B8VBHSXjrGpgxU4U/IEG/cWR5ot0oN+7+fuBxb4vo+sK+U9j3PCqX8hH3uOHykd3IkPj 1new== X-Gm-Message-State: AOJu0YzgsZrgySa0VyfDc55ePNkLqXPUfAR81evtCLGhVVKaLltsAoS9 kqeccNglZt2T/juWJfJrYAOaxLgF1iu/BeHINXzJ79rmDm5N51c4ssoSXWKw X-Gm-Gg: ASbGnctLlzj4aAHMHTAVlmAdOjxbAS/930TXDuO0XdhmA4Kc1rTAbSONJUdumy2eCsG f/427PGKteSpZuPOVM8h08iy0wNWFb9mjmFr2De04Y5nuR+EgRnlQrJrjfAbC9N1W7s6aGJNkjd t0tFwnSCvMFpeLFuf4rrPu56aWxhUXftwxE8k5TAdhC5KT3fjFaeA7NJhPdAruDcHI6FKK71hkW dHXIWbzeYQqiuTWsXbMcpp4ipiN8PKBH0dCp09wJICJSy7ysfi5EgFnhHdGyhUobHYaymvJC6Cr ZwrHNxcKXPUdxuIYNTTYe6PfY0leVQmhDkwfZg== X-Google-Smtp-Source: AGHT+IEf2vQDGOBuSzRQSVg+R+C7zwo9z/hSFdl3+TzbSyqE3izqS2hA4YLK7tr+EUsHVdWlJqWSWQ== X-Received: by 2002:a17:902:ce91:b0:216:2259:a4bd with SMTP id d9443c01a7336-21dd7e08915mr175015075ad.52.1738348486095; Fri, 31 Jan 2025 10:34:46 -0800 (PST) Received: from localhost.localdomain (utm3.nitt.edu. [14.139.162.2]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-21de33205b4sm33429665ad.245.2025.01.31.10.34.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 31 Jan 2025 10:34:45 -0800 (PST) From: 45mg <45mg.writes@gmail.com> Date: Sat, 1 Feb 2025 00:02:49 +0530 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * guix/scripts/fork/authenticate.scm: New file. * Makefile.am (MODULES): Add the new file. * guix/scripts/fork.scm (show-help): Mention new command. (%sub-commands): Add new command. Change-Id: Ic34a1b3d1642cedce8d1ff5bae825df30e47755c --- Makefile.am | 1 + guix/scripts/fork.scm | 6 +- guix/scripts/fork/authenticate.scm | 331 +++++++++++++++++++++++++++++ 3 files changed, 336 insertions(+), 2 deletions(-) create mode 100644 guix/scripts/fork/authenticate.scm diff --git a/Makefile.am b/Makefile.am index c628450a5a..1c1f5d84fd 100644 --- a/Makefile.am +++ b/Makefile.am @@ -379,6 +379,7 @@ MODULES = \ guix/scripts/git/authenticate.scm \ guix/scripts/fork.scm \ guix/scripts/fork/create.scm \ + guix/scripts/fork/authenticate.scm \ guix/scripts/graph.scm \ guix/scripts/weather.scm \ guix/scripts/container.scm \ diff --git a/guix/scripts/fork.scm b/guix/scripts/fork.scm index 2d97bcb93f..c5c7a59ba7 100644 --- a/guix/scripts/fork.scm +++ b/guix/scripts/fork.scm @@ -29,7 +29,9 @@ (define (show-help) (display (G_ "The valid values for ACTION are:\n")) (newline) (display (G_ "\ - create set up a fork of Guix\n")) + create set up a fork of Guix\n")) + (display (G_ "\ + authenticate authenticate a fork of Guix\n")) (newline) (display (G_ " -h, --help display this help and exit")) @@ -38,7 +40,7 @@ (define (show-help) (newline) (show-bug-report-information)) -(define %sub-commands '("create")) +(define %sub-commands '("create" "authenticate")) (define (resolve-sub-command name) (let ((module (resolve-interface diff --git a/guix/scripts/fork/authenticate.scm b/guix/scripts/fork/authenticate.scm new file mode 100644 index 0000000000..83d9d87d44 --- /dev/null +++ b/guix/scripts/fork/authenticate.scm @@ -0,0 +1,331 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2025 45mg <45mg.writes@gmail.com> +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (guix scripts fork authenticate) + #:use-module (git) + #:use-module (guix git) + #:use-module (guix git-authenticate) + #:use-module (guix base16) + #:use-module (guix ui) + #:use-module (guix progress) + #:use-module (guix scripts) + #:use-module (guix build utils) + #:use-module (guix channels) + #:use-module (ice-9 exceptions) + #:use-module (ice-9 match) + #:use-module (ice-9 receive) + #:use-module (ice-9 popen) + #:use-module (ice-9 format) + #:use-module (ice-9 pretty-print) + #:use-module (ice-9 string-fun) + #:use-module (ice-9 textual-ports) + #:use-module (srfi srfi-1) + #:use-module (srfi srfi-13) + #:use-module (srfi srfi-26) + #:use-module (srfi srfi-37) + #:use-module (srfi srfi-71) + #:export (guix-fork-authenticate + + fork-config-value + fork-configured? + fork-configured-keyring-reference + fork-configured-introduction)) + +;;; Commentary: +;;; +;;; Authenticate a fork of Guix, in the same manner as `guix git +;;; authenticate`. +;;; +;;; Code: + +(define %options + ;; Specifications of the command-line options. + (list (option '(#\h "help") #f #f + (lambda args + (show-help) + (exit 0))) + (option '(#\V "version") #f #f + (lambda args + (show-version-and-exit "guix fork authenticate"))) + + (option '(#\r "repository") #t #f + (lambda (opt name arg result) + (alist-cons 'directory arg result))) + (option '("upstream-commit") #f #f + (lambda (opt name arg result) + (alist-cons 'upstream-commit (string->oid arg) result))) + (option '("upstream-signer") #f #f + (lambda (opt name arg result) + (alist-cons 'upstream-signer (openpgp-fingerprint* arg) result))) + + (option '(#\e "end") #t #f + (lambda (opt name arg result) + (alist-cons 'end-commit (string->oid arg) result))) + (option '("upstream-end") #t #f + (lambda (opt name arg result) + (alist-cons 'upstream-end-commit (string->oid arg) result))) + (option '(#\k "keyring") #t #f + (lambda (opt name arg result) + (alist-cons 'keyring-reference arg result))) + (option '("upstream-keyring") #t #f + (lambda (opt name arg result) + (alist-cons 'upstream-keyring arg result))) + (option '("cache-key") #t #f + (lambda (opt name arg result) + (alist-cons 'cache-key arg result))) + (option '("historical-authorizations") #t #f + (lambda (opt name arg result) + (alist-cons 'historical-authorizations arg + result))) + (option '("stats") #f #f + (lambda (opt name arg result) + (alist-cons 'show-stats? #t result))))) + +(define %default-options + (let ((introduction (channel-introduction %default-guix-channel))) + `((upstream-commit + . ,(string->oid (channel-introduction-first-signed-commit introduction))) + (upstream-signer + . ,(openpgp-fingerprint + (string-upcase + (bytevector->base16-string + (channel-introduction-first-commit-signer introduction))))) + (upstream-keyring + . "keyring")))) + +(define %usage + (format #f (G_ "Usage: guix fork authenticate UPSTREAM COMMIT SIGNER [OPTIONS...] +Authenticate a fork of Guix, using COMMIT/SIGNER as the fork introduction. + +First, authenticate new commits from UPSTREAM, using Guix's default +introduction. Then authenticate the remaining commits using the fork +introduction. + + -r, --repository=DIRECTORY + Authenticate the Git repository in DIRECTORY + + --upstream-commit=COMMIT + --upstream-signer=SIGNER + Use COMMIT/SIGNER as the introduction for upstream + Guix, overriding the default values + ~a + /~a + (Guix's default introduction). + + -k, --keyring=REFERENCE + load keyring for fork commits from REFERENCE, a Git + branch (default \"keyring\") + --upstream-keyring=REFERENCE + load keyring for upstream commits from REFERENCE, a + Git branch (default \"keyring\") + --end=COMMIT authenticate fork commits up to COMMIT + --cache-key=KEY cache authenticated commits under KEY + --historical-authorizations=FILE + read historical authorizations from FILE + --stats Display commit signing statistics upon completion + + -h, --help display this help and exit + -V, --version display version information and exit +") + (assoc-ref %default-options 'upstream-commit) + (assoc-ref %default-options 'upstream-signer))) + +(define (show-help) + (display %usage) + (newline) + (show-bug-report-information)) + +(define (missing-arguments) + (leave (G_ "wrong number of arguments; \ +required UPSTREAM, COMMIT and SIGNER~%"))) + + +;;; +;;; Helper prodecures. +;;; + +(define (fork-config-value repository key) + "Return the config value associated with KEY in the +'guix.fork-authentication' namespace in REPOSITORY, or #f if no such config +was found." + (let* ((config (repository-config repository)) + (branch (repository-current-branch repository))) + (catch 'git-error + (lambda () + (config-entry-value + (config-get-entry config + (string-append "guix.fork-authentication." + key)))) + (const #f)))) + +(define (fork-configured-introduction repository) + "Return three values: the upstream branch name, introductory commit, and +signer fingerprint (strings) for this fork, as configured in REPOSITORY. +Error out if any were missing." + (let* ((upstream-branch (fork-config-value repository "upstream-branch")) + (commit (fork-config-value repository "introduction-commit")) + (signer (fork-config-value repository "introduction-signer"))) + (unless (and upstream-branch commit signer) + (leave (G_ "fork information in .git/config is incomplete; +missing at least one of +introduction-commit, introduction-signer, upstream-branch +under [guix \"fork-authentication\"]"))) + (values upstream-branch commit signer))) + +(define (fork-configured-keyring-reference repository) + "Return the keyring reference configured in REPOSITORY or #f if missing." + (fork-config-value repository "keyring")) + +(define (fork-configured? repository) + "Return true if REPOSITORY already contains fork introduction info in its +'config' file." + (and (fork-config-value repository "upstream-branch") + (fork-config-value repository "introduction-commit") + (fork-config-value repository "introduction-signer"))) + +(define* (record-fork-configuration + repository + #:key commit signer upstream-branch keyring-reference) + "Record COMMIT, SIGNER, UPSTREAM-BRANCH and KEYRING-REFERENCE in the +'config' file of REPOSITORY." + (define config + (repository-config repository)) + + ;; Guile-Git < 0.7.0 lacks 'set-config-string'. + (if (module-defined? (resolve-interface '(git)) 'set-config-string) + (begin + (set-config-string config "guix.fork-authentication.introduction-commit" + commit) + (set-config-string config "guix.fork-authentication.introduction-signer" + signer) + (set-config-string config "guix.fork-authentication.upstream-branch" + upstream-branch) + (set-config-string config "guix.fork-authentication.keyring" + keyring-reference) + (info (G_ "introduction, upstream branch and keyring recorded \ +in repository configuration file~%"))) + (warning (G_ "could not record introduction and keyring configuration\ + (Guile-Git too old?)~%")))) + + +(define (guix-fork-authenticate . args) + (define options + (parse-command-line args %options (list %default-options) + #:build-options? #f)) + + (define (command-line-arguments lst) + (reverse (filter-map (match-lambda + (('argument . arg) arg) + (_ #f)) + lst))) + + (define (make-reporter start-commit end-commit commits) + (format (current-error-port) + (G_ "Authenticating commits ~a to ~a (~h new \ +commits)...~%") + (commit-short-id start-commit) + (commit-short-id end-commit) + (length commits)) + (if (isatty? (current-error-port)) + (progress-reporter/bar (length commits)) + progress-reporter/silent)) + + (with-error-handling + (with-git-error-handling + ;; TODO: BUG: it doesn't recognize '~' in paths + ;; How to do 'realpath' in Guile? + (let* ((repository (repository-open (or (assoc-ref options 'directory) + (repository-discover ".")))) + (upstream commit signer (match (command-line-arguments options) + ((upstream commit signer) + (values + (branch-lookup repository upstream) + (string->oid commit) + (openpgp-fingerprint* signer))) + (() + (receive (upstream commit signer) + (fork-configured-introduction repository) + (values + (branch-lookup repository upstream) + (string->oid commit) + (openpgp-fingerprint* signer)))) + (_ + (missing-arguments)))) + (upstream-commit (assoc-ref options 'upstream-commit)) + (upstream-signer (assoc-ref options 'upstream-signer)) + (history (match (assoc-ref options 'historical-authorizations) + (#f '()) + (file (call-with-input-file file + read-authorizations)))) + (keyring (or (assoc-ref options 'keyring-reference) + (fork-configured-keyring-reference repository) + "keyring")) + (upstream-keyring (assoc-ref options 'upstream-keyring)) + (end (match (assoc-ref options 'end-commit) + (#f (reference-target + (repository-head repository))) + (oid oid))) + (upstream-end (match (assoc-ref options 'upstream-end-commit) + (#f + (reference-target upstream)) + (oid oid))) + (cache-key (or (assoc-ref options 'cache-key) + (repository-cache-key repository))) + (show-stats? (assoc-ref options 'show-stats?))) + + (define upstream-authentication-args + (filter identity + (list + (oid->string upstream-commit) + (bytevector->base16-string upstream-signer) + (string-append "--repository=" + (repository-directory repository)) + (string-append "--end=" + (oid->string upstream-end)) + (and upstream-keyring + (string-append "--keyring=" + upstream-keyring)) + (and show-stats? "--stats")))) + + (info (G_ "calling `guix git authenticate` for branch ~a...~%") + (branch-name upstream)) + + (apply run-guix-command 'git "authenticate" + upstream-authentication-args) + + (define fork-stats + (authenticate-repository + repository commit signer + #:end end + #:keyring-reference keyring + #:historical-authorizations history + #:cache-key cache-key + #:make-reporter make-reporter)) + + (unless (fork-configured? repository) + (record-fork-configuration repository + #:commit (oid->string commit) + #:signer (bytevector->base16-string signer) + #:upstream-branch (branch-name upstream) + #:keyring-reference keyring)) + + (when (and show-stats? (not (null? fork-stats))) + (show-authentication-stats fork-stats)) + + (info (G_ "successfully authenticated commit ~a~%") + (oid->string end))))))