pull: Add '--disable-authentication'.
* guix/channels.scm (latest-channel-instance): Add #:authenticate? and honor it. (latest-channel-instances): Likewise. * guix/scripts/pull.scm (%default-options): Add 'authenticate-channels?'. (show-help, %options): Add '--disable-authentication'. (guix-pull): Pass #:authenticate? to 'latest-channel-instances'. * doc/guix.texi (Invoking guix pull): Document it.
This commit is contained in:
parent
c3f6f564e9
commit
a9eeeaa6ae
@ -3929,6 +3929,20 @@ Make sure you understand its security implications before using
|
||||
@option{--allow-downgrades}.
|
||||
@end quotation
|
||||
|
||||
@item --disable-authentication
|
||||
Allow pulling channel code without authenticating it.
|
||||
|
||||
@cindex authentication, of channel code
|
||||
By default, @command{guix pull} authenticates code downloaded from
|
||||
channels by verifying that its commits are signed by authorized
|
||||
developers, and raises an error if this is not the case. This option
|
||||
instructs it to not perform any such verification.
|
||||
|
||||
@quotation Note
|
||||
Make sure you understand its security implications before using
|
||||
@option{--disable-authentication}.
|
||||
@end quotation
|
||||
|
||||
@item --system=@var{system}
|
||||
@itemx -s @var{system}
|
||||
Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of
|
||||
|
@ -390,11 +390,12 @@ commits ~a to ~a (~h new commits)...~%")
|
||||
(define* (latest-channel-instance store channel
|
||||
#:key (patches %patches)
|
||||
starting-commit
|
||||
(authenticate? #f)
|
||||
(validate-pull
|
||||
ensure-forward-channel-update))
|
||||
"Return the latest channel instance for CHANNEL. When STARTING-COMMIT is
|
||||
true, call VALIDATE-PULL with CHANNEL, STARTING-COMMIT, the target commit, and
|
||||
their relation."
|
||||
their relation. When AUTHENTICATE? is false, CHANNEL is not authenticated."
|
||||
(define (dot-git? file stat)
|
||||
(and (string=? (basename file) ".git")
|
||||
(eq? 'directory (stat:type stat))))
|
||||
@ -408,14 +409,16 @@ their relation."
|
||||
(when relation
|
||||
(validate-pull channel starting-commit commit relation))
|
||||
|
||||
(if (channel-introduction channel)
|
||||
(authenticate-channel channel checkout commit)
|
||||
;; TODO: Warn for all the channels once the authentication interface
|
||||
;; is public.
|
||||
(when (guix-channel? channel)
|
||||
(warning (G_ "channel '~a' lacks an introduction and \
|
||||
(if authenticate?
|
||||
(if (channel-introduction channel)
|
||||
(authenticate-channel channel checkout commit)
|
||||
;; TODO: Warn for all the channels once the authentication interface
|
||||
;; is public.
|
||||
(when (guix-channel? channel)
|
||||
(warning (G_ "channel '~a' lacks an introduction and \
|
||||
cannot be authenticated~%")
|
||||
(channel-name channel))))
|
||||
(channel-name channel))))
|
||||
(warning (G_ "channel authentication disabled~%")))
|
||||
|
||||
(when (guix-channel? channel)
|
||||
;; Apply the relevant subset of PATCHES directly in CHECKOUT. This is
|
||||
@ -463,11 +466,15 @@ allow non-forward updates."))))))))))
|
||||
(define* (latest-channel-instances store channels
|
||||
#:key
|
||||
(current-channels '())
|
||||
(authenticate? #t)
|
||||
(validate-pull
|
||||
ensure-forward-channel-update))
|
||||
"Return a list of channel instances corresponding to the latest checkouts of
|
||||
CHANNELS and the channels on which they depend.
|
||||
|
||||
When AUTHENTICATE? is true, authenticate the subset of CHANNELS that has a
|
||||
\"channel introduction\".
|
||||
|
||||
CURRENT-CHANNELS is the list of currently used channels. It is compared
|
||||
against the newly-fetched instances of CHANNELS, and VALIDATE-PULL is called
|
||||
for each channel update and can choose to emit warnings or raise an error,
|
||||
@ -505,6 +512,8 @@ depending on the policy it implements."
|
||||
(let* ((current (current-commit (channel-name channel)))
|
||||
(instance
|
||||
(latest-channel-instance store channel
|
||||
#:authenticate?
|
||||
authenticate?
|
||||
#:validate-pull
|
||||
validate-pull
|
||||
#:starting-commit
|
||||
|
@ -82,6 +82,7 @@
|
||||
(graft? . #t)
|
||||
(debug . 0)
|
||||
(verbosity . 1)
|
||||
(authenticate-channels? . #t)
|
||||
(validate-pull . ,ensure-forward-channel-update)))
|
||||
|
||||
(define (show-help)
|
||||
@ -97,6 +98,9 @@ Download and deploy the latest version of Guix.\n"))
|
||||
--branch=BRANCH download the tip of the specified BRANCH"))
|
||||
(display (G_ "
|
||||
--allow-downgrades allow downgrades to earlier channel revisions"))
|
||||
(display (G_ "
|
||||
--disable-authentication
|
||||
disable channel authentication"))
|
||||
(display (G_ "
|
||||
-N, --news display news compared to the previous generation"))
|
||||
(display (G_ "
|
||||
@ -165,6 +169,9 @@ Download and deploy the latest version of Guix.\n"))
|
||||
(lambda (opt name arg result)
|
||||
(alist-cons 'validate-pull warn-about-backward-updates
|
||||
result)))
|
||||
(option '("disable-authentication") #f #f
|
||||
(lambda (opt name arg result)
|
||||
(alist-cons 'authenticate-channels? #f result)))
|
||||
(option '(#\p "profile") #t #f
|
||||
(lambda (opt name arg result)
|
||||
(alist-cons 'profile (canonicalize-profile arg)
|
||||
@ -771,7 +778,8 @@ Use '~/.config/guix/channels.scm' instead."))
|
||||
(channels (channel-list opts))
|
||||
(profile (or (assoc-ref opts 'profile) %current-profile))
|
||||
(current-channels (profile-channels profile))
|
||||
(validate-pull (assoc-ref opts 'validate-pull)))
|
||||
(validate-pull (assoc-ref opts 'validate-pull))
|
||||
(authenticate? (assoc-ref opts 'authenticate-channels?)))
|
||||
(cond ((assoc-ref opts 'query)
|
||||
(process-query opts profile))
|
||||
((assoc-ref opts 'generation)
|
||||
@ -793,7 +801,9 @@ Use '~/.config/guix/channels.scm' instead."))
|
||||
#:current-channels
|
||||
current-channels
|
||||
#:validate-pull
|
||||
validate-pull)))
|
||||
validate-pull
|
||||
#:authenticate?
|
||||
authenticate?)))
|
||||
(format (current-error-port)
|
||||
(N_ "Building from this channel:~%"
|
||||
"Building from these channels:~%"
|
||||
|
Loading…
Reference in New Issue
Block a user