publish: Create files in the cache as #o644.
Reported by Ricardo Wurmus <rekado@elephly.net>.
* guix/scripts/publish.scm (compress-nar): Add 'chmod' call to ensure
PORT is #o644, in the uncompressed case.
(bake-narinfo+nar): Likewise for the narinfo file.
* tests/publish.scm ("with cache"): Check permissions on CACHED and NAR.
This commit is contained in:
Ludovic Courtès
parent
86e9e5cb23
commit
d754757628
|
|
@ -583,7 +583,10 @@ requested using POOL."
|
|||
;; guarantee the TTL (see <https://bugs.gnu.org/28664>.)
|
||||
(with-atomic-file-output nar
|
||||
(lambda (port)
|
||||
(write-file item port))))))
|
||||
(write-file item port)
|
||||
;; Make the file world-readable, contrary to what
|
||||
;; 'with-atomic-file-output' does.
|
||||
(chmod port (logand #o644 (lognot (umask)))))))))
|
||||
|
||||
(define* (bake-narinfo+nar cache item
|
||||
#:key ttl (compressions (list %no-compression))
|
||||
|
|
@ -615,7 +618,12 @@ requested using POOL."
|
|||
#:nar-path nar-path
|
||||
#:compressions compressions
|
||||
#:file-sizes sizes)
|
||||
port)))))
|
||||
port)))
|
||||
|
||||
;; Make the cached narinfo world-readable, contrary to what
|
||||
;; 'with-atomic-file-output' does, so that other users can rsync
|
||||
;; the whole cache.
|
||||
(chmod port (logand #o644 (lognot (umask))))))
|
||||
|
||||
;; Make narinfo files for OTHERS hard links to NARINFO such that the
|
||||
;; atime-based cache eviction considers either all the nars or none
|
||||
|
|
|
|||
|
|
@ -434,6 +434,11 @@ References: ~%"
|
|||
(< ttl 3600)))
|
||||
|
||||
(wait-for-file cached)
|
||||
|
||||
;; Both the narinfo and nar should be world-readable.
|
||||
(= #o644 (stat:perms (lstat cached)))
|
||||
(= #o644 (stat:perms (lstat nar)))
|
||||
|
||||
(let* ((body (http-get-port url))
|
||||
(compressed (http-get nar-url))
|
||||
(uncompressed (http-get (string-append base "nar/"
|
||||
|
|
|
|||
Loading…
Reference in New Issue