bug#60852: git-authenticate edge case for certain key setup.

[Hilton Chain via Bug reports for GNU Guix]

I encountered the issue when adding a new key to my Guix channel.  Though I
haven't figured out what happened exactly, I'm currently able to reproduce the
issue with the following steps.

1. Generate two keypairs.  Key One with the preset "ECC and ECC", Key Two with
"ECC (set your own capabilities)" and only keep the Certify capability, then
add a Sign subkey to Key Two.  All Curve 25519.

#+RESULTS:
: /tmp/test/pubring.kbx
: -
: sec   ed25519/676A52381FFD80C5 2023-01-16 [SC]
:   Key fingerprint = 21D3 9304 CED7 A5CF 50B6  0B80 676A 5238 1FFD 80C5
: uid [ultimate] Key One
: ssb   cv25519/BA35E2E29D6E4CE4 2023-01-16 [E]
:   Key fingerprint = 450A DF8C 6FE4 AEFF EC75  EBD9 BA35 E2E2 9D6E 4CE4
:
: sec   ed25519/06DE4CED9A91AB7B 2023-01-16 [C]
:   Key fingerprint = 4A45 EC76 DA2B 389A FE2F  C887 06DE 4CED 9A91 AB7B
: uid [ultimate] Key Two
: ssb   ed25519/3BE8CD60E408A705 2023-01-16 [S]
:   Key fingerprint = 405C B557 DE1F 1254 B012  640A 3BE8 CD60 E408 A705


2. Create a new git repository, commit public keys of the two to the "keyring"
branch.  Then commit file ".guix-authorizations" to the "main" branch with the
following code:
#+begin_src scheme
  (authorizations
   (version 0)
   (("21D3 9304 CED7 A5CF 50B6  0B80 676A 5238 1FFD 80C5"
 (name "Key One"
#+end_src

Configure git to sign commits with Key One, change the ".guix-authorizations"
file to the following and commit:
#+begin_src scheme
  (authorizations
   (version 0)
   (("21D3 9304 CED7 A5CF 50B6  0B80 676A 5238 1FFD 80C5"
 (name "Key One")))
   (("405C B557 DE1F 1254 B012  640A 3BE8 CD60 E408 A705"
 (name "Key Two"
#+end_src

Then change the signing key to Key Two and add a new commit.

Now there're three commits:
#+RESULTS:
: commit 5240baeebc055187fb738e66e7dbfbb57c0aeba3 (HEAD -> main)
: Author: Test 
: Date:   Mon Jan 16 13:53:49 2023 +0800
:
: test
:
: commit a6794b64f9dfa828a5721e3f02c27ab74db9a487
: Author: Test 
: Date:   Mon Jan 16 13:53:17 2023 +0800
:
: Authorize Key Two.
:
: commit c9476062a2f341e9ee95a60d17cf2233b7c55ff4
: Author: Test 
: Date:   Mon Jan 16 13:51:02 2023 +0800
:
: Authorize Key One.


3. Invoke `guix git authenticate`...with error.

#+begin_src shell
  guix git authenticate c9476062a2f341e9ee95a60d17cf2233b7c55ff4 "21D3 9304 
CED7 A5CF 50B6  0B80 676A 5238 1FFD 80C5"
#+end_src

#+RESULTS:
: Authenticating commits c947606 to 5240bae (1 new commits)...
: 
[##]guix
 git: error: commit 5240baeebc055187fb738e66e7dbfbb57c0aeba3 not signed by an 
authorized key: 405C B557 DE1F 1254 B012  640A 3BE8 CD60 E408 A705


4. However, if I swap positions of the two fingerprints, it works.

New ".guix-authorizations" file:
#+begin_src scheme
  (authorizations
   (version 0)
   (("405C B557 DE1F 1254 B012  640A 3BE8 CD60 E408 A705"
 (name "Key Two")))
   (("21D3 9304 CED7 A5CF 50B6  0B80 676A 5238 1FFD 80C5"
 (name "Key One"
#+end_src

New commits history:
#+RESULTS:
: commit 7e4d98eea0e89652554d822503096371e5d59f3b (HEAD -> main)
: Author: Test 
: Date:   Mon Jan 16 14:52:37 2023 +0800
:
: test
:
: commit a44434b1a9bd955cc897dea4c44abe64d6ab8112
: Author: Test 
: Date:   Mon Jan 16 13:53:49 2023 +0800
:
: Swap positions of the two fingerprints.
:
: commit a6794b64f9dfa828a5721e3f02c27ab74db9a487
: Author: Test 
: Date:   Mon Jan 16 13:53:17 2023 +0800
:
: Authorize Key Two.
:
: commit c9476062a2f341e9ee95a60d17cf2233b7c55ff4
: Author: Test 
: Date:   Mon Jan 16 13:51:02 2023 +0800
:
: Authorize Key One.

And a new `guix git authenticate` result:
#+RESULTS:
: Authenticating commits c947606 to 7e4d98e (2 new commits)...

若

bug#60816: guix pull ("computing Guix derivation") is not reproducible

[bokr]

Hi,

On +2023-01-15 15:35:31 +0100, Josselin Poiret via Bug reports for GNU Guix 
wrote:
> Hi again Julien,
> 
> Julien Lepiller  writes:
> 
> > it seems that on one machine, my .cache/guix/checkouts got polluted by
> > uncommited files. I have no idea why they're there, but cleaning them
> > should solve my issue, thanks!
> 
> It's not the first time we've seen this, we could probably consider
> adding a git clean after the reset in switch-to-ref.
> 
> Best,
> -- 
> Josselin Poiret

Could wrong timestamps on pushed files cause problems?

E.g., if you were working offline on a laptop where
cat /proc/driver/rtc
was significantly wrong at boot time, perhaps due to flaky CMOS battery,
or error in init specs? If you didn't connect to the internet and get
synced, couldn't you wind up with files with bad time stamps?

(I think I can dig up evidence of that, when I didn't connect,
though I don't show it here).

Could some Makefile action or some date-sensitive find or
if [[ file1 -nt file2 ]] then  
be wrongly triggered and leave mystery files around?

IWT synchronizing distributed monotonic time has to have been solved
a long ago, but old unnoticed errors do seem to wake up sometimes
in new circumstances.

I have been having mystery problems with time, which I have yet to
diagnose properly. One theory that matches some symptoms is if there
is a virtualized /proc/driver/rtc which gets a bogus value temporarily,
which gets accessed and stored by whatever stores time as boot time for
who -b to see forever (until shutdown) --
but date and other time functions see the virtual /proc/driver/rtc every
time, not a cached value, so they get corrected shortly after internet
is connected.

But what happens to file time stamps if you don't connect
to the internet for a long time?

BTW,I see the bad time at the top of the screen right after boot
but before reaching login, and IIRC it will currect to local without
logging in if I plug in the internet dongle.

Shown below I just booted from cold power-off, with 99% main battery,
about 17:20, so how to explain bogus who -b system boot time of 07:53
this morning? From that timee uptime at 17:20:06
would be: 9hrs 27min 6sec, not "1:14" (1hr 14min))

Well, I guess the 9 hours could be explained by root having a different
idea of locale at pre-internet boot time, but the 27min 6 sec?  

--8<---cut here---start->8---
who -b; uptime;date -Ins;grep rtc /proc/driver/rtc
 system boot  2023-01-15 07:53
 17:20:06 up  1:14,  1 user,  load average: 0.00, 0.08, 0.15
2023-01-15T17:20:06,768027575+01:00
rtc_time: 16:20:06
rtc_date: 2023-01-15
--8<---cut here---end--->8---

Also some anomalies in dmesg and journalctl -b, but inconclusive for me ;/

I noticed the bad "who -b" times because whenever my ~/.bash_profile
sees a change as I log in, it uses the date to create a new scratch
"boot-session" directory and updates a symbolic link to it at ~/bs
like stat -c %N ~/bs shows:
'/home/bokr/bs' -> '/home/bokr/BS/bs20230115_0753'
which is annoyingly wrong. It also makes a link to the previous ~/bs
in the new, like
'/home/bokr/bs/pbs' -> '../bs20230113_0427'
(showing some insomnia ;/ )

but if I cd ~/bs PS1 will display a nice short prompt :)
--8<---cut here---start->8---
[01:53 ~/bs]$ cd ~/bs
[01:53 ~/bs]$ realpath .
/home/bokr/BS/bs20230115_0753
[01:53 ~/bs]$ realpath ~/bs
/home/bokr/BS/bs20230115_0753
[01:54 ~/bs]$ 
--8<---cut here---end--->8---

HTH & SFTN if this is not useful or relevant.
--
Regards,
Bengt Richter

bug#60844: no text in Anki

[Csepp]

I recently installed Anki and added some decks to study Japanese.
However, I only see cog icons when I open Anki.  Clicking them does pop
up a settings menu and I can see their names there.
Is this a QtWebkit bug again?
I tried the sandbox workaround I saw in some other bug report but it did
not help.

bug#57493: [EXT] Re: bug#57493: should allow for customizing home directory permission bits

[Thompson, David]

Hi Liliana,

On Sun, Jan 15, 2023 at 7:25 AM Liliana Marie Prikler
 wrote:
>
> * gnu/system/accounts.scm
> > ()[home-directory-permissions]: New
> > field.
> > (user-account-home-directory-permissions): New accessor.
> > * gnu/build/activation.scm (activate-users+groups): Use home
> > directory
> > permission bits from the user account object.
> > * doc/guix.texi (User Accounts): Document new field.
> LGTM.
>
> The header says this is part 1/2.  Is that correct or did you just
> invoke git format-patch wrong?

Oops, that's my bad! I forgot that the patch file header would say
that.  There's a second patch that changes the Gitolite service to use
this new field, which is the service that sparked the need for this
additional flexibility, but I was going to leave that out for now and
maybe just push directly as it's a 2 line change and the gitolite
system test passes. So, please disregard that 1/2 thing!

Thanks for checking!

- Dave

bug#60566: [PATCH] environment: Fix '--emulate-fhs' option overriding $PATH.

[John Kehayias via Bug reports for GNU Guix]

Hi Ludo’,


On Sat, Jan 14, 2023 at 03:41 PM, Ludovic Courtès wrote:

> Hi John,
>
> John Kehayias  skribis:
>
> [...]
>
>> -   (setenv "PATH" "/bin:/usr/bin:/sbin:/usr/sbin")
>> +   (setenv "PATH" (string-append "/bin:/usr/bin:/sbin:/usr/sbin"
>> + (when (getenv "PATH")
>> +   (string-append ":" (getenv 
>> "PATH")
>
> Remember that ‘when’ returns *unspecified* when the condition is false,
> so you’d get a type error here when PATH is undefined.
>
> Instead write: (if (getenv "PATH") … "").
>

Ah yes, my Common Lisp showing through and relying on nil instead. Fixed and 
thanks!

>> +# Test that $PATH inside the container has FHS directories.
>> +guix shell -CF --bootstrap guile-bootstrap \
>> + -- guile -c '(exit (if (string-contains (getenv "PATH")
>> +"/bin:/usr/bin:/sbin:/usr/sbin")
>> +   0
>> +   1))'
>
> Even (exit (string=? (getenv "PATH") "/bin:/usr/bin:/sbin:/usr/sbin")).
>

With this patch PATH now gets the FHS directories in addition to what it 
normally has (like the profile's bin directory). While slightly redundant, this 
seems to be better than clobbering it. Anyway, so we can't check that the PATH 
is completely equal here.

>> +# Make sure '--preserve' is honored for $PATH, which the '--emulate-fhs'
>> +# option will modify.  We can't (easily) check the whole $PATH as it will
>> +# differ inside and outside the container, so just check for an added 
>> string.
>> +PATH=this-is-a-test:$PATH guix shell -CF --bootstrap guile-bootstrap -E 
>> PATH \
>> + -- guile -c '(exit (if (string-contains (getenv "PATH")
>> +"this-is-a-test")
>> +   0
>> +   1))'
>
> It might be slightly more concise with ‘env’:
>
>   PATH=/foo $(type -P guix) shell -E ^PATH$ -C coreutils -- env |grep 
> ^PATH=.*:/foo
>
> (I think ‘--bootstrap’ doesn’t buy us much here because we have to
> download/build ‘glibc-for-fhs’ anyway.  ‘--bootstrap’ and
> ‘guile-bootstrap’ are particularly useful for testse that can run
> without network access and without building tons of stuff, as in
> ‘tests/guix-environment.sh’ for instance.)
>

Ah, thanks, that is nicer if we can just use coreutils. I rewrote the previous 
test to use that as well. Probably some other tests here could use that 
simplification, but outside of the scope here.

(Side note that 'type' in zsh works differently, one could use 'whence' there 
or even the built-in 'which'. For the tests we are running with bash or bash 
compliant here, so it is not a problem.)

> Otherwise LGTM, thanks!
>
> Ludo’.

Thanks again for your careful review! Pushed as 
3bfbfa2946aebb7f68c8027ae80f272f6915c94f and closing this issue.

Thanks also for jman for reporting.

John

bug#56709: (No Subject)

[Attila Lendvai]

> > i'm also seeing this, and the solution was to comment
> > out the (identity ...) field of my machine-ssh-configuration.
> 
>
> i spoke too soon. today it's again broken for me the same way, even
> though identity is commented out. lechner on IRC also reported that
> it's broken for him.


since then it's working again. this seems to be some transient issue. possibly 
related to network state?

note that normal SSH always works. it's only a late phase of `guix deploy` 
where this error sometimes shows up.

-- 
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“The most urgent necessity is, not that the State should teach, but that it 
should allow education. All monopolies are detestable, but the worst of all is 
the monopoly of education.”
— Frédéric Bastiat (1801–1850), 'What Is Money?'

bug#60831: [PATCH] gnu: emacs-minimal: Do not patch compilation driver.

[Liliana Marie Prikler]

The ‘patch-compilation-driver’ phase pulls in libgccjit even though it has
been deliberately removed from emacs-minimal.

* gnu/packages/emacs.scm (emacs)[#:phases]: Delete ‘patch-compilation-driver’.
---
Thanks Josselin for pointing this out.

 gnu/packages/emacs.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm
index 97d46486c7..83b9afb633 100644
--- a/gnu/packages/emacs.scm
+++ b/gnu/packages/emacs.scm
@@ -448,6 +448,7 @@ (define-public emacs-minimal
((#:phases phases)
 #~(modify-phases #$phases
 (delete 'set-libgccjit-path)
+(delete 'patch-compilation-driver)
 (delete 'restore-emacs-pdmp)
 (delete 'strip-double-wrap)
 (inputs (list ncurses coreutils gzip))
-- 
2.38.1

bug#60816: guix pull ("computing Guix derivation") is not reproducible

[Josselin Poiret via Bug reports for GNU Guix]

Hi again Julien,

Julien Lepiller  writes:

> it seems that on one machine, my .cache/guix/checkouts got polluted by
> uncommited files. I have no idea why they're there, but cleaning them
> should solve my issue, thanks!

It's not the first time we've seen this, we could probably consider
adding a git clean after the reset in switch-to-ref.

Best,
-- 
Josselin Poiret

bug#60834: configuration->documentation generates garbage @-command on fields beginning with numeric characters

[Bruno Victal]

Minimal example (with Guix REPL):

--8<---cut here---start->8---
scheme@(guix-user)> ,use (gnu services configuration)
scheme@(guix-user)> (define serialize-boolean (lambda (x y) #t))
scheme@(guix-user)> (define-configuration example-configuration (1-foo (boolean 
#t) "lorem ipsum"))
scheme@(guix-user)> (configuration->documentation 'example-configuration)
%example-configuration
@c %start of fragment

@deftp {Data Type} example-configuration
Available @code{example-configuration} fields are:

@table @asis
@item @code{#@{1-foo@}#} (default: @code{#t}) (type: boolean)
lorem ipsum

@end table

@end deftp


@c %end of fragment
scheme@(guix-user)> 
--8<---cut here---end--->8---

bug#60831: Are our graphs okay?

[Josselin Poiret via Bug reports for GNU Guix]

Hi Lily,

Liliana Marie Prikler  writes:

> This is rather curious.  How does libgccjit land in emacs-minimal's
> closure?

The patch-compilation-driver phase in the inherited emacs package wires
in a reference to libgccjit.  It would need to be replaced in
emacs-minimal.

Best,
-- 
Josselin Poiret

bug#60816: guix pull ("computing Guix derivation") is not reproducible

[Julien Lepiller]

Le Sun, 15 Jan 2023 12:54:45 +0100,
Josselin Poiret  a écrit :

> Hi Julien,
> 
> Julien Lepiller  writes:
> 
> > So, apart from the output filename which obviously changes, it seems
> > that the differences are:
> >
> > - order of dependencies,
> > - source output,
> > - builder (only because it references the source output)
> >
> > Here's the result of diffoscope on the source outputs (ignore
> > modification date, I used touch to make them all the same, not to
> > make them sensible ;)):
> >
> > [...]
> >
> > Could it be that removed files are somehow kept in cache?  
> 
> Does this still happen if you run `git clean -df` in both of your
> local checkouts?
> 
> Best,

Haha!

it seems that on one machine, my .cache/guix/checkouts got polluted by
uncommited files. I have no idea why they're there, but cleaning them
should solve my issue, thanks!

bug#60831: Are our graphs okay?

[Liliana Marie Prikler]

Hi Guix,

Continuing the discussion Ludo’ started over at guix-devel regarding
package size, note that we have

$ guix size emacs-minimal 
Store-Objekt Gesamt   Selbst
/gnu/store/lphzb1z0r4kbb453rsvnw7msrxxzp5r7-libgccjit-10.3.0   244.8   
128.5  27.2%
/gnu/store/wrzjr2g38f23fqg09rrdcn10va5gc5xl-emacs-minimal-28.2 472.4   
110.7  23.4%
/gnu/store/zyqimpkmpffc24nwwqp46cicj8ss85y5-binutils-2.37  126.0
54.4  11.5%
/gnu/store/ayc9r7162rphy4zjw8ch01pmyh214h82-glibc-2.33  76.6
36.6   7.8%
/gnu/store/5h2w4qi9hk1qzzgi1w83220ydslinr4s-glibc-2.33  38.3
36.6   7.7%
/gnu/store/6d0pl5khj08j3c2619jnypc8bznspgx8-gcc-10.3.0-lib  71.7
33.4   7.1%
/gnu/store/094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib  71.7
33.4   7.1%
/gnu/store/8fpk2cja3f07xls48jfnpgrzrljpqivr-coreutils-8.32  91.6
16.4   3.5%
/gnu/store/9rrnm5hdjw7cy96a2a9rfgh6y08wsbmf-ncurses-6.2.2021061977.6 
5.9   1.3%
/gnu/store/pmq05n0q25v4qjyibxfrp53v4391k7vh-mpfr-4.1.0  78.4 
4.0   0.9%
/gnu/store/ajw8nnrnd6hr183skwqdgc8c7mazg97h-isl-0.2377.3 
2.9   0.6%
/gnu/store/fwbiihd2sbhai63y1pvvdh0f2bakfzrf-gmp-6.2.1   74.4 
2.7   0.6%
/gnu/store/4f304c7dp68hkcp1zi1i07zm8nfvvyp7-bash-static-5.1.81.7 
1.7   0.4%
/gnu/store/720rj90bch716isd8z7lcwrnvz28ap4y-bash-static-5.1.81.7 
1.7   0.4%
/gnu/store/4y5m9lb8k3qkb1y9m02sw9w9a6hacd16-bash-minimal-5.1.8  39.3 
1.0   0.2%
/gnu/store/xjwp2hsd9256icjjybfrmznppjicywf6-grep-3.673.5 
0.8   0.2%
/gnu/store/ba02g5xkqiss6s5z8mbj9cvkal6l7b9g-mpc-1.2.1   78.8 
0.4   0.1%
/gnu/store/a38k2v29l6l0iz6pmlk4dmzwdbvl10lq-acl-2.3.1   72.3 
0.3   0.1%
/gnu/store/a7ggx0af69gv4k5mr1k617p4vy9kgx2v-libcap-2.62 72.0 
0.3   0.1%
/gnu/store/jkjs0inmzhj4vsvclbf08nmh0shm7lrf-attr-2.5.1  71.9 
0.2   0.1%
/gnu/store/8qv5kb2fgm4c3bf70zcg9l6hkf3qzpw9-zlib-1.2.11 71.9 
0.2   0.0%
/gnu/store/0c1yfbxyv877mlgychfgvmk5ha2jqh52-gzip-1.10   73.7 
0.2   0.0%
Gesamt: 472.4 MiB

but 

$ guix graph --path emacs-minimal libgccjit 
guix graph: Fehler: Kein Pfad von „emacs-minimal@28.2“ nach
„libgccjit@12.2.0“

and 

$ guix graph --path /gnu/store/wrzjr2g38f23fqg09rrdcn10va5gc5xl-emacs-
minimal-28.2 /gnu/store/lphzb1z0r4kbb453rsvnw7msrxxzp5r7-libgccjit-
10.3.0 --type=referrers
guix graph: Fehler: Kein Pfad von
„/gnu/store/wrzjr2g38f23fqg09rrdcn10va5gc5xl-emacs-minimal-28.2“ nach
„/gnu/store/lphzb1z0r4kbb453rsvnw7msrxxzp5r7-libgccjit-10.3.0“

This is rather curious.  How does libgccjit land in emacs-minimal's
closure?

bug#57493: should allow for customizing home directory permission bits

[Liliana Marie Prikler]

* gnu/system/accounts.scm
> ()[home-directory-permissions]: New
> field.
> (user-account-home-directory-permissions): New accessor.
> * gnu/build/activation.scm (activate-users+groups): Use home
> directory
> permission bits from the user account object.
> * doc/guix.texi (User Accounts): Document new field.
LGTM.

The header says this is part 1/2.  Is that correct or did you just
invoke git format-patch wrong?

Cheers

bug#60816: guix pull ("computing Guix derivation") is not reproducible

[Josselin Poiret via Bug reports for GNU Guix]

Hi Julien,

Julien Lepiller  writes:

> So, apart from the output filename which obviously changes, it seems
> that the differences are:
>
> - order of dependencies,
> - source output,
> - builder (only because it references the source output)
>
> Here's the result of diffoscope on the source outputs (ignore
> modification date, I used touch to make them all the same, not to make
> them sensible ;)):
>
> [...]
>
> Could it be that removed files are somehow kept in cache?

Does this still happen if you run `git clean -df` in both of your local
checkouts?

Best,
-- 
Josselin Poiret

bug#60821: "failed to compute the derivation" and openssl build failure

[Josselin Poiret via Bug reports for GNU Guix]

Hi Zach,

Zach Philipchook  writes:

> Hi!
>
> I installed guix on Ubuntu 20.04 from a tarball and I'm getting an error
> while doing an initial `guix pull`. Apparently, openssl fails to build.
>
> The command output: https://pastebin.com/BVvdcXX2
> The openssl build ouput: https://pastebin.com/Kpn0avU1

This second pastebin is not available anymore. You don't need to use
paste services when using mailing lists, you can just send the log files
as long as they are not too huge (and if they are, just strip the
irrelevant parts).

In the meantime, what tarball are you using?  1.4.0?

Best,
-- 
Josselin Poiret