Re: Signed archives

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Signed archives

From:	Ludovic Courtès
Subject:	Re: Signed archives
Date:	Mon, 27 Jan 2014 16:56:59 +0100
User-agent:	Gnus/5.130007 (Ma Gnus v0.7) Emacs/24.3 (gnu/linux)

Nikita Karetnikov <address@hidden> skribis:

> Sorry, I’m failing to understand how the protocol works.  Is the spec
> available somewhere?

No.

> Could you describe the entire process in a step-by-step way?  What does
> happen when the client requests a substitute?  You mentioned that the
> client attempts to fetch the corresponding .narinfo file.  What does
> happen after that?

The substituter can be invoked either in query mode, or in substitution
mode.

In query mode, it is passed a list of store file names, and it must tell
whether substitutes exist for them.  This is what happens, for instance,
when running ‘guix build foo --dry-run’: it allows ‘guix build’ to know
what would be downloaded from hydra.gnu.org, and what would be built.

In substitute mode, it is passed a list of store file names to actually
substitute.


‘guix substitute-binary’ implements that protocol, with the aim of
reflecting binaries served by Hydra.  Thus, its query mode consists in
verifying whether the .narinfo for a given item exists at
http://hydra.gnu.org.  Its substitute mode consists in downloading the
archive specified in the corresponding .narinfo.

See the thread at
<http://lists.gnu.org/archive/html/bug-guix/2013-04/msg00013.html>.

> Why does the client need to cache the answer?  Does it check the cache
> first?

If it didn’t cache the answer, then it would have to do one HTTP GET for
each item you want to build.  For instance:

  guix build coreutils -n

would lead something like 20 HTTP requests to hydra.gnu.org, which could
take a lot of time.

So, instead, it does two things:

  • it caches Hydra’s .narinfo or lack thereof, for a limited time (see
    <http://lists.gnu.org/archive/html/bug-guix/2013-04/msg00082.html>);

  • when there’s no info in cache, a HTTP requests are made in parallel
    (see <https://lists.gnu.org/archive/html/guix-devel/2013-11/msg00032.html>.)

> ‘guix authenticate’ accepts a ‘hash-file’ argument.  Does it come from
> the .narinfo file?

No, it comes from LocalStore::importPath, in local-store.cc.

> If so, should ‘substitute-binary.scm’ check the signature against the
> NarHash field?

Hmm I think so, but we’d have to double-check whether that’s what Nix
actually does.

HTH!

Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

‘guix archive’ doesn’t work over ‘./pre-inst-env’, Nikita Karetnikov, 2014/01/26
- Re: ‘guix archive’ doesn’t work over ‘./pre-inst-env’, Ludovic Courtès, 2014/01/26
  - Signed archives (was: ‘guix archive’ do esn’t work over ‘./pre-inst-env’), Nikita Karetnikov, 2014/01/26
    - Re: Signed archives, Ludovic Courtès, 2014/01/26
    - Re: Signed archives, Nikita Karetnikov, 2014/01/27
    - Re: Signed archives, Ludovic Courtès <=

Prev by Date: Re: Signed archives
Next by Date: [PATCH] gnu: linux: Add iotop-0.6.
Previous by thread: Re: Signed archives
Next by thread: statedir locations
Index(es):
- Date
- Thread