Hi,
Ricardo Wurmus <rek...@elephly.net> skribis:
> Ludovic Courtès <l...@gnu.org> writes:
>
>> The simplest solution for now (I think that’s what Ricardo & co. had in
>> mind) would be for you to retrieve /var/cache/guix/publish on your
>> server, as is, and then run ‘guix publish’ on your sever: it will know
>> where to find files. As I wrote to Jonathan, you can/should also run
>> nginx on top of that as a proxy to your local ‘guix publish’.
>>
>> Ricardo, can you remind us what the next steps would be?
>
> We need to make sure that *all* the files produced by “guix publish”
> have correct permissions; IIRC some of the files are not readable at all
> by users other than the owner of the files.
Oops, I had forgotten, my bad. I’ll push the attached patch later
today.
Next we’ll need to update the ‘guix’ package, restart ‘guix publish’ on
berlin, and chmod a+r -R /var/cache/guix/publish.
> Once that’s done we just need to start the rsync daemon again,
> preferably as a shepherd service.
Yes.
Sounds like we have a plan!
Peng Mei Yu: make sure to ping us in the coming weeks if you don’t hear
from us by then!
Thanks,
Ludo’.
diff --git a/guix/scripts/publish.scm b/guix/scripts/publish.scm
index e8faf379e2..e3c8711f5b 100644
--- a/guix/scripts/publish.scm
+++ b/guix/scripts/publish.scm
@@ -583,7 +583,10 @@ requested using POOL."
;; guarantee the TTL (see <https://bugs.gnu.org/28664>.)
(with-atomic-file-output nar
(lambda (port)
- (write-file item port))))))
+ (write-file item port)
+ ;; Make the file world-readable, contrary to what
+ ;; 'with-atomic-file-output' does.
+ (chmod port (logand #o644 (lognot (umask)))))))))
(define* (bake-narinfo+nar cache item
#:key ttl (compressions (list %no-compression))
@@ -615,7 +618,12 @@ requested using POOL."
#:nar-path nar-path
#:compressions compressions
#:file-sizes sizes)
- port)))))
+ port)))
+
+ ;; Make the cached narinfo world-readable, contrary to what
+ ;; 'with-atomic-file-output' does, so that other users can rsync
+ ;; the whole cache.
+ (chmod port (logand #o644 (lognot (umask))))))
;; Make narinfo files for OTHERS hard links to NARINFO such that the
;; atime-based cache eviction considers either all the nars or none
diff --git a/tests/publish.scm b/tests/publish.scm
index e46e6256b7..cafd0f13a2 100644
--- a/tests/publish.scm
+++ b/tests/publish.scm
@@ -434,6 +434,11 @@ References: ~%"
(< ttl 3600)))
(wait-for-file cached)
+
+ ;; Both the narinfo and nar should be world-readable.
+ (= #o644 (stat:perms (lstat cached)))
+ (= #o644 (stat:perms (lstat nar)))
+
(let* ((body (http-get-port url))
(compressed (http-get nar-url))
(uncompressed (http-get (string-append base "nar/"
