* guix/pk-crypto.scm (gcrypt-version): New procedure.
* guix/scripts/archive.scm (%key-generation-parameters): New variable.
(%options) <generate-key>: Use it.
* tests/pk-crypto.scm ("sign + verify, Ed25519"): Skip if using gcrypt < 1.6.0.
* guix/scripts/offload.scm (with-error-to-port): New macro.
(remote-pipe): Add #:error-port parameter. Use 'with-error-to-port'
around 'open-pipe*' call.
(build-log-port): New procedure.
(offload): Change #:log-port to default to (build-log-port). Call
'remote-pipe' with #:error-port LOG-PORT.
* guix/scripts/substitute-binary.scm (fetch): Add #:quiet-404?
parameter. Upon &http-get-error, re-raise C if the QUIET-404? is
true and the code is 404.
(fetch-narinfo): Pass #:quiet-404? #t.
* guix/pk-crypto.scm (bytevector->hash-data): Add #:key-type parameter.
Use the 'pkcs1' flag when KEY-TYPE is 'rsa', and 'rfc6979' when
KEY-TYPE is 'ecc' or 'dsa'.
(key-type): New procedure.
* guix/scripts/authenticate.scm (read-hash-data): Add 'key-type'
parameter. Pass it to 'bytevector->hash-data'. Adjust caller
accordingly.
* tests/pk-crypto.scm (%ecc-key-pair): New variable.
("key-type"): New test.
("sign + verify"): Pass #:key-type to 'bytevector->hash-data'.
("sign + verify, Ed25519"): New test.
* guix/scripts/offload.scm (offload): Remove default value for
'build-timeout'. Pass '--timeout' to the remote 'guix build'
process.
(transfer-and-offload, process-request): Remove default value for
'build-timeout'.
* guix/scripts/offload.scm (transfer-and-offload): New procedure, with
core formerly in 'process-request'.
(choose-build-machine): Remove 'requirements' parameter.
(process-request): Reply 'decline' when none of MACHINES matches the
requirements, and 'postpone' when MACHINES are busy.
* guix/scripts/offload.scm (machine-choice-lock-file,
machine-slot-file, acquire-build-slot, release-build-slot): New
procedures.
(choose-build-machine): Operate with (machine-choice-lock-file)
taken. Acquire a build slot for each of MACHINES. Release those not
used.
* guix/scripts/offload.scm (lock-machine, unlock-machine): Remove.
(lock-file, unlock-file): New procedures.
(with-file-lock): New macro.
(with-machine-lock): Rewrite in terms of 'with-file-lock'.
* guix/scripts/offload.scm (machine-lock-file, lock-machine,
unlock-machine): New procedures.
(with-machine-lock): New macro.
(process-request): Wrap 'send-files' and 'retrieve-files' calls in
'with-machine-lock'.
* guix/http-client.scm (&http-get-error): New condition type.
(http-fetch): Raise it instead of using 'error'.
* guix/scripts/substitute-binary.scm (fetch) <http>: Wrap body into
'guard' form; gracefully handle 'http-get-error?' conditions.
* guix/scripts/offload.scm (machine-load, machine-less-loaded?,
machine-less-loaded-or-faster?): New procedures.
(choose-build-machine): Use 'machine-less-loaded-or-faster?' when
sorting. Return the head of MACHINES unless it's loaded is >= 2.
* guix/scripts/hash.scm (show-help): Add --recursive.
(%options): Likewise.
(guix-hash)[file-hash]: New procedure. Honor --recursive.
Use it.
* guix/nar.scm (write-file): Add missing field to the &nar-error
condition raised upon unsupported file type; change its message to be
more descriptive.
* tests/guix-hash.sh: Add tests with -r.
* doc/guix.texi (Invoking guix hash): Document --recursive.
* guix/scripts/system.scm: New file.
* Makefile.am (MODULES): Add it.
* po/POTFILES.in: Likewise.
* doc/guix.texi (Using the Configuration System): Link to "Invoking guix
system".
(Invoking guix system): New node.
* guix/scripts/offload.scm (offload): Add 'log-port' keyword parameter.
Handle log display here. Return the result of (close-pipe pipe).
(process-request): Adjust 'offload' call site accordingly. Call
'retrieve-files' only when 'offload' returns zero; exit when 'offload'
returns non-zero.
* nix/nix-daemon/guix-daemon.cc (GUIX_OPT_NO_BUILD_HOOK): New macro.
(options): Add '--no-build-hook'.
(parse_opt): Handle it.
(main)[HAVE_DAEMON_OFFLOAD_HOOK]: Set 'useBuildHook' by default.
Set $NIX_BUILD_HOOK to our offload hook unless otherwise specified.
[!HAVE_DAEMON_OFFLOAD_HOOK]: Clear 'useBuildHook'.
* pre-inst-env.in: Set and export NIX_BUILD_HOOK.
* nix/scripts/offload.in, guix/scripts/offload.scm: New files.
* guix/ui.scm (show-guix-help)[internal?]: Add "offload".
* config-daemon.ac: Call 'GUIX_CHECK_UNBUFFERED_CBIP'.
Instantiate 'nix/scripts/offload'. Set 'BUILD_DAEMON_OFFLOAD'
conditional, and optionally define 'HAVE_DEAMON_OFFLOAD_HOOK' cpp
macro.
* daemon.am (nodist_pkglibexec_SCRIPTS)[BUILD_DAEMON_OFFLOAD]: Add it.
* Makefile.am (MODULES)[BUILD_DAEMON_OFFLOAD]: Add
'guix/scripts/offload.scm'.
(EXTRA_DIST)[!BUILD_DAEMON_OFFLOAD]: Likewise.
* m4/guix.m4 (GUIX_CHECK_UNBUFFERED_CBIP): New macro.
* doc/guix.texi (Setting Up the Daemon): Move most of the body to...
(Build Environment Setup): ... this. New subsection.
(Daemon Offload Setup): New subsection.
* guix/pki.scm (signature-subject, signature-signed-data,
valid-signature?): New procedures.
* guix/scripts/authenticate.scm (guix-authenticate): Adjust to use
them.
* nix-upstream: Update sub-module.
* daemon.am (libutil_a_SOURCES): Add affinity.cc.
(libutil_headers): Add affinity.hh.
(libexec_PROGRAMS, nix_setuid_helper_SOURCES,
nix_setuid_helper_CPPFLAGS, nix_setuid_helper_LDADD): Remove.
* doc/guix.texi (Setting Up the Daemon): Remove paragraph about
'nix-setuid-helper'.
* guix/scripts/substitute-binary.scm (guix-substitute-binary): Exit 0 when
%CACHE-URL has an HTTP scheme and looking up its host fails.
Always print a newline to stdout when starting.
* guix/pki.scm (ensure-acl): Make sure the directory of %ACL-FILE
exists.
* guix/scripts/archive.scm (generate-key-pair): Likewise for
%PUBLIC-KEY-FILE.
* guix/scripts/package.scm (leave-on-EPIPE): New macro.
(guix-package): Use it for 'list-installed', 'list-available', and
'--list-generations'.
* tests/guix-package.sh: Add test.
* guix/scripts/archive.scm (authorize-key): New procedure.
(guix-archive): Call it when OPTS contains 'authorize-key'.
* tests/guix-archive.sh: Add test with invalid public key.
* guix/pki.scm: Export '%acl-file'.
* doc/guix.texi (Invoking guix archive): Make it clear that '--import'
works only with authorized keys. Document '--authorize'.
* guix/scripts/authenticate.scm (signature-sexp): Remove.
(guix-authenticate): Upon '-verify', check whether the signature's
public key passes 'authorized-key?'.
* guix/scripts/authenticate.scm (signature-sexp): New procedure.
(guix-authenticate): Use it to produce the signature. Adjust
verification code accordingly.
* tests/store.scm ("import corrupt path"): Adjust test accordingly.