Hi, Attila Lendvai <att...@lendvai.name> skribis:
> i've installed a new guix, and at the first `guix system reconfigure` i > specified a substitute server using --substitute-urls for That Other Channel. > i had to do this, because the config.scm that contains the substitute > specification is yet to be applied. > > it didn't work. it prints everything as usual, including the 100% message for > that substitute server, but it starts to build packages locally for which > substitutes are available. i haven't noticed any indication that there's a > problem with any of the substitute servers. > > once i've downloaded the .pub and i finally did the right incantation (sudo > guix archive --authorize < signing-key.pub), then it started to download the > substitutes as i expected. > > i would much prefer a behavior where a "cryptyc" exception and backtrace is > printed by a toplevel error handler. it has cost me about an hour of my life. I agree we should print a message when stumbling upon unauthorized substitutes (it’s not OpenPGP, BTW). Note that it’s not completely trivial: you might download substitutes not signed by one of the keys in the ACL if they happen to match substitutes that *are* signed by one of the authorized keys. Also, when discovery is enabled, it’s preferable to silently ignore neighboring servers that the user did not explicitly specify via ‘--substitute-urls’. Ludo’.
