From 11dee1bb8fbe6efd85280ca58f3bd2f90baef31a Mon Sep 17 00:00:00 2001
From: Ludovic Courtès <ludo@gnu.org>
Date: Mon, 6 Apr 2020 11:06:53 +0200
Subject: build-self: Avoid call to 'show-what-to-build*' on modern Guix.

This avoids repeated "will be downloaded" messages for
'compute-guix-derivation' and its dependencies.

* build-aux/build-self.scm (build): Don't call 'show-what-to-build*'
when 'with-build-handler' is defined.
---
 build-aux/build-self.scm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'build-aux')

diff --git a/build-aux/build-self.scm b/build-aux/build-self.scm
index 2782a4da72..f86c79f0d0 100644
--- a/build-aux/build-self.scm
+++ b/build-aux/build-self.scm
@@ -408,7 +408,11 @@ files."
                       (major  ((store-lift nix-server-major-version)))
                       (minor  ((store-lift nix-server-minor-version))))
     (mbegin %store-monad
-      (show-what-to-build* (list build))
+      ;; Before 'with-build-handler' was implemented and used, we had to
+      ;; explicitly call 'show-what-to-build*'.
+      (munless (module-defined? (resolve-module '(guix store))
+                                'with-build-handler)
+        (show-what-to-build* (list build)))
       (built-derivations (list build))
 
       ;; Use the port beneath the current store as the stdin of BUILD.  This
-- 
cgit 1.4.1


From 27a1e4fd109f6df9f687958cfead0d3e41e330aa Mon Sep 17 00:00:00 2001
From: Ludovic Courtès <ludo@gnu.org>
Date: Sun, 12 Apr 2020 00:00:59 +0200
Subject: build: Cap build parallelism on i686.

Works around <https://bugs.gnu.org/40522>.

* build-aux/compile-all.scm (parallel-job-count*): New procedure.
<top level>: Use it instead of 'parallel-job-count'.
---
 build-aux/compile-all.scm | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'build-aux')

diff --git a/build-aux/compile-all.scm b/build-aux/compile-all.scm
index e9f3e957d9..ad75e33a85 100644
--- a/build-aux/compile-all.scm
+++ b/build-aux/compile-all.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2016 Taylan Ulrich Bayırlı/Kammer <taylanbayirli@gmail.com>
-;;; Copyright © 2016, 2017, 2019 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -79,6 +79,14 @@ to 'make'."
                        (current-processor-count))))
                 (loop tail)))))))))
 
+(define (parallel-job-count*)
+  ;; XXX: Work around memory requirements not sustainable on i686 above '-j4'
+  ;; or so: <https://bugs.gnu.org/40522>.
+  (let ((count (parallel-job-count)))
+    (if (string-prefix? "i686" %host-type)
+        (min count 4)
+        count)))
+
 (define (% completed total)
   "Return the completion percentage of COMPLETED over TOTAL as an integer."
   (inexact->exact (round (* 100. (/ completed total)))))
@@ -95,7 +103,7 @@ to 'make'."
      (lambda ()
        (compile-files srcdir (getcwd)
                       (filter file-needs-compilation? files)
-                      #:workers (parallel-job-count)
+                      #:workers (parallel-job-count*)
                       #:host host
                       #:report-load (lambda (file total completed)
                                       (when file
-- 
cgit 1.4.1


From aa78c596c9eaae946f779d8fa3c4125d08187648 Mon Sep 17 00:00:00 2001
From: Tobias Geerinckx-Rice <me@tobias.gr>
Date: Fri, 17 Apr 2020 23:25:17 +0200
Subject: gnupg: Accept revoked keys.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

I (nckx) have revoked all RSA subkeys, in favour of my older and
freshly-refreshed ECDSA ones.  This was merely a precaution: to my
knowledge all my RSA private keys have been carefully destroyed and
were never compromised.  This commit keeps ‘make authenticate’ happy.

* guix/gnupg.scm (revkeysig-rx): New variable for revoked keys.
(gnupg-verify): Parse it.
(gnupg-status-good-signature?): Accept it as ‘good’ for our purposes.
* build-aux/git-authenticate.scm (%committers): Clarify nckx's subkeys.

Signed-off-by: Ludovic Courtès <ludo@gnu.org>
---
 build-aux/git-authenticate.scm |  7 ++++---
 guix/gnupg.scm                 | 11 ++++++++++-
 2 files changed, 14 insertions(+), 4 deletions(-)

(limited to 'build-aux')

diff --git a/build-aux/git-authenticate.scm b/build-aux/git-authenticate.scm
index 37e0c6800c..bb48dddc59 100644
--- a/build-aux/git-authenticate.scm
+++ b/build-aux/git-authenticate.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2019, 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -147,11 +148,11 @@
     ("mthl"
      "F2A3 8D7E EB2B 6640 5761  070D 0ADE E100 9460 4D37")
     ("nckx"
-     ;; primary: "F5BC 5534 C36F 0087 B39D  36EF 1C9D C4FE B9DB 7C4B"
-     "7E8F AED0 0944 78EF 72E6  4D16 D889 B0F0 18C5 493C")
-    ("nckx (2nd)"
      ;; primary: "F5BC 5534 C36F 0087 B39D  36EF 1C9D C4FE B9DB 7C4B"
      "F5DA 2032 4B87 3D0B 7A38  7672 0DB0 FF88 4F55 6D79")
+    ("nckx (revoked; not compromised)"
+     ;; primary: "F5BC 5534 C36F 0087 B39D  36EF 1C9D C4FE B9DB 7C4B"
+     "7E8F AED0 0944 78EF 72E6  4D16 D889 B0F0 18C5 493C")
     ("niedzejkob"
      "E576 BFB2 CF6E B13D F571  33B9 E315 A758 4613 1564")
     ("ngz"
diff --git a/guix/gnupg.scm b/guix/gnupg.scm
index bf0283f8fe..5fae24b325 100644
--- a/guix/gnupg.scm
+++ b/guix/gnupg.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2010, 2011, 2013, 2014, 2016, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
+;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -71,6 +72,8 @@
    "^\\[GNUPG:\\] VALIDSIG ([[:xdigit:]]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+) .*$"))
 (define expkeysig-rx                    ; good signature, but expired key
   (make-regexp "^\\[GNUPG:\\] EXPKEYSIG ([[:xdigit:]]+) (.*)$"))
+(define revkeysig-rx                    ; good signature, but revoked key
+  (make-regexp "^\\[GNUPG:\\] REVKEYSIG ([[:xdigit:]]+) (.*)$"))
 (define errsig-rx
   ;; Note: The fingeprint part (the last element of the line) appeared in
   ;; GnuPG 2.2.7 according to 'doc/DETAILS', and it may be missing.
@@ -114,6 +117,11 @@ revoked.  Return a status s-exp if GnuPG failed."
            (lambda (match)
              `(expired-key-signature ,(match:substring match 1) ; fingerprint
                                      ,(match:substring match 2)))) ; user name
+          ((regexp-exec revkeysig-rx line)
+           =>
+           (lambda (match)
+             `(revoked-key-signature ,(match:substring match 1) ; fingerprint
+                                     ,(match:substring match 2)))) ; user name
           ((regexp-exec errsig-rx line)
            =>
            (lambda (match)
@@ -157,7 +165,8 @@ a fingerprint/user pair; return #f otherwise."
   (match (assq 'valid-signature status)
     (('valid-signature fingerprint date timestamp)
      (match (or (assq 'good-signature status)
-                (assq 'expired-key-signature status))
+                (assq 'expired-key-signature status)
+                (assq 'revoked-key-signature status))
        ((_ key-id user) (cons fingerprint user))
        (_ #f)))
     (_
-- 
cgit 1.4.1