Re: Problems with Gnome Authenticator 2FA

[Wojtek Kosior via]

> Hi Guix,
> 
>   I'm being required to setup a 2FA application to create
> one-time-passwords for a self-managed Gitlab instance. The wrinkle is
> that I don't own a smartphone. Up until now I've been able to use 2FA
> over SMS for most systems I interact with, but Gitlab doesn't support
> this option. Instead, there is a hard requirement on using a dedicated
> application for this purpose. The recommended choices are Google
> Authenticator and Microsoft Authenticator for either iOS or Android.
> Again, I don't have access to either of these operating systems, nor do
> I want to use these proprietary applications for (what should be) such a
> basic task.
> 
> In digging through the Guix package list, I found `authenticator`:

Hi Gary!

I recall keepassxc, beside being a password manager (and one I am
satisfied with), can also generate authentication codes :)

guix show keepassxc

Good luck with your task!

Wojtek


pgpoTjfvJD78n.pgp
Description: OpenPGP digital signature

Problems with Gnome Authenticator 2FA

[Gary Johnson]

Hi Guix,

  I'm being required to setup a 2FA application to create
one-time-passwords for a self-managed Gitlab instance. The wrinkle is
that I don't own a smartphone. Up until now I've been able to use 2FA
over SMS for most systems I interact with, but Gitlab doesn't support
this option. Instead, there is a hard requirement on using a dedicated
application for this purpose. The recommended choices are Google
Authenticator and Microsoft Authenticator for either iOS or Android.
Again, I don't have access to either of these operating systems, nor do
I want to use these proprietary applications for (what should be) such a
basic task.

In digging through the Guix package list, I found `authenticator`:

==
name: authenticator
version: 3.32.2
outputs:
+ out: everything
systems: x86_64-linux
dependencies: desktop-file-utils@0.26 gettext-minimal@0.21 glib@2.70.2 
gobject-introspection@1.66.1 gsettings-desktop-schemas@41.0 gtk+@3.24.30 
libhandy@0.0.13
+ libsecret@0.20.5 pkg-config@0.29.2 python-beautifulsoup4@4.11.1 
python-pillow@9.2.0 python-pyfavicon@0.1.1 python-pygobject@3.40.1 
python-pyotp@2.7.0
+ python-pyzbar@0.1.8 python@3.9.9 yoyo-migrations@7.2.0 zbar@0.23.90
location: gnu/packages/gnome.scm:10394:2
homepage: https://gitlab.gnome.org/World/Authenticator/
license: GPL 3+
synopsis: Two-factor authentication application built for GNOME  
description: Authenticator is a two-factor authentication (2FA) application 
built for the GNOME desktop environment.
+ 
+ Features:
+ 
+* QR code scanner
+ 
+* Beautiful UI
+ 
+* Huge database of more than 560 supported services
+ 
+* Keep your PIN tokens secure by locking the application with a password
+ 
+* Automatically fetch an image for services using their favicon
+ 
+* The possibility to add new services
==

It looks like a reasonable FOSS option, so I tried it out via `guix
shell`:

```
$ guix shell authenticator -- authenticator
```

Unfortunately, I just get a program crash and a stacktrace:

==
Traceback (most recent call last):
  File 
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py",
 line 59, in do_startup
self._setup_actions()
  File 
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py",
 line 142, in _setup_actions
Keyring.get_default().connect("notify::can-be-locked",
  File 
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/models/keyring.py",
 line 49, in get_default
Keyring.instance = Keyring()
  File 
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/models/keyring.py",
 line 44, in __init__
self.props.can_be_locked = self.is_password_enabled() and 
self.has_password()
  File 
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/models/keyring.py",
 line 136, in is_password_enabled
state = Secret.password_lookup_sync(schema, {}, None)
gi.repository.GLib.GError: g-dbus-error-quark: The name org.freedesktop.secrets 
was not provided by any .service files (2)
Traceback (most recent call last):
  File 
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py",
 line 77, in do_activate
window = Window.get_default()
  File 
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py",
 line 70, in get_default
Window.instance = Window()
  File 
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py",
 line 55, in __init__
self.init_template('Window')
TypeError: () takes 0 positional arguments but 1 was given
==

The line that stuck out to me was this one:

```
gi.repository.GLib.GError: g-dbus-error-quark: The name
org.freedesktop.secrets was not provided by any .service files (2)
```

A little web searching led me to understand that I need to have the
`gnome-keyring` daemon running. (I wish that had been in the package
documentation.)

Okay, so I reviewed the Guix manual, and I found this info:

==
 -- Variable: gnome-keyring-service-type
 This is the type of the service that adds the GNOME Keyring
 (https://wiki.gnome.org/Projects/GnomeKeyring).  Its value is a
 ‘gnome-keyring-configuration’ object (see below).

 This service adds the ‘gnome-keyring’ package to the system profile
 and extends PAM with entries using 

Re: Coreboot,T440P & GUIX installer

[jerome moliere]

Hi,
thanks for the reply Felix...
GUIX is not installed yet , I am stuck during the installation process...
So I have no WM or graphical desktop installed yet..
Opening a console during installation process just leaves me few options:
- I can use ifconfig or ip programs
- ping & telnet
- traceroute
but I don't think that wget or curl is available at this time (I will
double check)
DNS resolution seems ok, I can ping google.com or kernel.org
Where are the log files for the installer  (if any available)?

Thanks for your support

On Wed, Feb 22, 2023 at 8:03 PM Felix Lechner 
wrote:

> Hi,
>
> On Wed, Feb 22, 2023 at 9:34 AM jerome moliere 
> wrote:
> >
> > I just bought a refurbished machine (T440P) with Coreboot
>
> Congratulations on your commitment to free software!
>
> > This wifi chipset is recognized
> > but activating it fails during ESSID pairing (bad password)...
>
> Do you use GNOME or NetworkManager to connect?
>
> > ping
> > works nicely inside my LAN or for public domains)  but network step
> finish
> > with RED screen saying my network is unable to provide access to
> > substitutes  (git repos for GUIX ?) while github is resolved in
> console...
>
> You may have a DNS or firewall issue. Did you configure your router to
> suggest 8.8.8.8 and 8.8.4.4 as default name servers for clients?
>
> Please also try wget or curl on a known URL.
>
> Finally, make sure you have ca-certificates installed (for TLS).
>
> > I wondered if someone runs Coreboot with GUIX ?
>
> Since you are already in Guix (or in the installer) I do not believe
> your BIOS plays any role in your technical issues.
>
> Kind regards
> Felix Lechner
>


-- 
J.MOLIERE - Mentor/J

Re: Coreboot,T440P & GUIX installer

[Felix Lechner via]

Hi,

On Wed, Feb 22, 2023 at 9:34 AM jerome moliere  wrote:
>
> I just bought a refurbished machine (T440P) with Coreboot

Congratulations on your commitment to free software!

> This wifi chipset is recognized
> but activating it fails during ESSID pairing (bad password)...

Do you use GNOME or NetworkManager to connect?

> ping
> works nicely inside my LAN or for public domains)  but network step finish
> with RED screen saying my network is unable to provide access to
> substitutes  (git repos for GUIX ?) while github is resolved in console...

You may have a DNS or firewall issue. Did you configure your router to
suggest 8.8.8.8 and 8.8.4.4 as default name servers for clients?

Please also try wget or curl on a known URL.

Finally, make sure you have ca-certificates installed (for TLS).

> I wondered if someone runs Coreboot with GUIX ?

Since you are already in Guix (or in the installer) I do not believe
your BIOS plays any role in your technical issues.

Kind regards
Felix Lechner

GUIX 1.4, T440P, CoreBoot : network failure during install

[jerome moliere]

Hi all,
I just bought a refurbished machine (T440P) with Coreboot to run a fully
open source experience...
Experience is not so good for the moment, because I am stuck in the third
or fourth screen of the GUIX installer during network detection.
My laptop has an atheros wifi  chipset  supported for a long time by the
Linux kernel (no proprietary firmware)... This wifi chipset is recognized
but activating it fails during ESSID pairing (bad password)...
T440P has an ethernet connector, ethernet card is recognized too , the card
works on console during installation (ip a shows correct information, ping
works nicely inside my LAN or for public domains)  but network step finish
with RED screen saying my network is unable to provide access to
substitutes  (git repos for GUIX ?) while github is resolved in console...

I have tried to restart the network services, to play with conmanctl to
restart services, rescan... But it always fails!!!

Have you any idea...
thanks for sharing

-- 
J.MOLIERE - Mentor/J

Terminal apps display question marks instead of the € (UTF-8) character and emojis not displayed in Icecat

[danclm--- via]

Hello Guix,
my terminal is displaying question marks instead of the € (UTF-8) character. 
I'm using the DejaVu Sans Mono font, declared as a package in my desktop.scm 
file and configured in .alacritty.yml. The same thing happens with Kitty, Foot 
and other fonts.
fc-cache -rv was executed. I'm running Sway as a window manager.
In Emacs GUI the € character is displayed correctly.
Furthermore, the browser is not displaying emojis properly. Here for example 
https://emojidissector.com/ my browser is showing some square boxes with 
numbers instead of emojis. 
Even if the config I pasted below does not include any package for emojis, I 
had no success trying to declare one and reconfigure everything.

My desktop.scm:

;; This is an operating system configuration template with the Sway window 
manager
(use-modules
(gnu)
(gnu system nss)
(gnu system setuid)
(gnu packages certs)
(gnu packages compression)
(gnu packages disk)
(gnu packages emacs)
(gnu packages finance) ;;legder
(gnu packages fonts)
(gnu packages fontutils)
(gnu packages glib)
(gnu packages games) ;;gtypist
(gnu packages gnome) ;;adwaita-icon-theme
(gnu packages gnupg)
(gnu packages gnuzilla)
(gnu packages gtk)
(gnu packages image) ;;grim
(gnu packages libreoffice)
(gnu packages linux)
(gnu packages package-management)
(gnu packages password-utils)
(gnu packages pulseaudio)
(gnu packages rsync)
(gnu packages ssh)
(gnu packages terminals)
(gnu packages tex)
(gnu packages version-control)
(gnu packages wm) ;;sway ;;waybar
(gnu services dbus)
(gnu services desktop)
(gnu services networking)
(gnu services sddm)
(gnu services sound)
(gnu services ssh))

(operating-system
(host-name "t420")
(timezone "Europe/Rome")
(locale "en_US.utf8")

  ;; Choose US English keyboard layout.
  (keyboard-layout (keyboard-layout "us"))

  ;; Bootloader
  (bootloader (bootloader-configuration
   (bootloader grub-bootloader)
   (terminal-outputs '(console))
   (targets (list "/dev/sda"))
   (keyboard-layout keyboard-layout)))

  ;; Specify a mapped device for the encrypted root partition.
  ;; The UUID is that returned by 'cryptsetup luksUUID'.
  (mapped-devices
   (list (mapped-device
  (source (uuid "8022876e-e0cc-4ec5-8363-0f07c590cdbc"))
  (targets (list "guix-root"))
  (type luks-device-mapping

  (file-systems
   (append
    (list (file-system
   (device (file-system-label "guix-root"))
   (mount-point "/")
   (type "ext4")
   (dependencies mapped-devices)))
 %base-file-systems))

  (swap-devices (list
 (swap-space (target "/swapfile"

  ;; Create users and groups.
  (users
   (cons (user-account
  (name "dani")
  (comment "")
  (group "users")
  (home-directory "/home/dani")
  (supplementary-groups '("wheel" "netdev"
  "audio" "video" "input")))
 %base-user-accounts))

  ;; This is where we specify system-wide packages.
  (packages
   (append
    (list
 adwaita-icon-theme
 alacritty
 at-spi2-core
 dbus
 emacs
 font-awesome
 fontconfig
 font-dejavu
 fzf
 git
 gnupg
 grim
 gtypist
 icecat
 keepassxc
 ledger
 libreoffice
 light
 nss-certs
 openssh-sans-x
 parted
 pass-otp
 password-store
 pavucontrol
 pinentry
 pulseaudio
 rsync
 slurp
 stow
 sway
 swayidle
 swaylock-effects
 texlive-base
 unzip
 waybar
 zip)
    %base-packages))

  ;; Some programs need to run with “root” privileges, even when they are 
launched by unprivileged users
  (setuid-programs (cons*
    (setuid-program
 (program
  (file-append swaylock-effects "/bin/swaylock")))
  ;; Services
  (services
   (cons*
    (service alsa-service-type
 (alsa-configuration
  (pulseaudio? #t)))
    (dbus-service)
    (service elogind-service-type)
    (service network-manager-service-type)
    (service ntp-service-type)
    (service openssh-service-type
 (openssh-configuration
  (openssh openssh-sans-x)
  (port-number )
  (password-authentication? #f)
  (authorized-keys
   `(("dani" ,(local-file "/home/dani/.ssh/authorized_keys"))
 ;  ("root" ,(local-file "~/"))
    (service sddm-service-type
   (sddm-configuration
  (auto-login-user "dani")
  (display-server "wayland"))) ;"wayland" ;"sway.desktop"
    (service wpa-supplicant-service-type)
    %base-services))

  ;; Allow resolution of '.local' host names with mDNS.
  (name-service-switch %mdns-host-lookup-nss))

Thanks in advance!-- 

Coreboot,T440P & GUIX installer

[jerome moliere]

Hi all,
I just bought a refurbished machine (T440P) with Coreboot to run a fully
open source experience...
Experience is not so good for the moment, because I am stuck in the third
or fourth screen of the GUIX installer during network detection.
My laptop has an atheros wifi  chipset  supported for a long time by the
Linux kernel (no proprietary firmware)... This wifi chipset is recognized
but activating it fails during ESSID pairing (bad password)...
T440P has an ethernet connector, ethernet card is recognized too , the card
works on console during installation (ip a shows correct information, ping
works nicely inside my LAN or for public domains)  but network step finish
with RED screen saying my network is unable to provide access to
substitutes  (git repos for GUIX ?) while github is resolved in console...

I have tried to restart the network services, to play with conmanctl to
restart services, rescan... But it always fails!!!

I wondered if someone runs Coreboot with GUIX ? The machine is quite old so
all hardware is recognized, wifi chipset is compliant with free software,
so it should work nicely ..And I can't think that installer has a so big
bug (it should prevent many people from installing Guix)..

I have tried the 1.4 iso & the system crafter latest build but same
result...

Have you any idea...
thanks for sharing


-- 
J.MOLIERE - Mentor/J

limited compiler-rt support in llvm-15?

[Haugen, Kjetil]

[AMD Official Use Only - General]

Hello!

I'm in the process creating guix packages for rocm using upstream clang. I 
noticed that for clang-runtime-15, guix now explicitly deletes all static 
libraries which makes the packages with -rtlib=compiler-rt fail due to missing 
libclang_rt.builtins-x86_64.a. Is there any particular reason why guix made 
that change between clang-runtime-14 and clang-runtime-15? I'd like to propose 
to revert that change. I know I can always create my own clang-runtime-15 
variant, but I was hoping to avoid the additional complexity of maintaining 
custom versions of clang-runtime and all the packages that depend on it.

Thanks,
KJ

Re: Using an alternative python to build python modules

[Simon Tournier]

Hi,

There is no free lunch. ;-)

On Wed, 22 Feb 2023 at 04:23, Kyle Andrews  wrote:

>   Honestly, I couldn't get my poor ancient laptop to
> even finish compiling the inferior - much less try using that inferior
> with your package-with-explicit-python. I'm just wishing that this
> approach will work in the near future. So, please don't let anyone
> include it yet :)

Well, ’package-with-explicit-python’ traverses all the graph and can go
deep; basically you might end with a world rebuild since the dependency
of Python is often deep.

(I let aside the inferior part that you do not need, IMHO.)

The computational environment you create with Conda is totally
inconsistent in regard to the Python version label.  The Conda
resolver works using the version label.  Consider this scenario:

A library X version x.y builds with Python interpreter version p.q and
you are interested by library A depending on library X version x.y and
also by some Python libraries and the Python interpreter version b.d,
then library X is not rebuilt with Python interpreter version b.d.
Somehow, Conda exploits some binary compatibility, roughly what Guix
names grafts. :-)

Other said, Conda is not building and then serving all the matrix of
possible combinations.  Somehow Conda cheats when Guix not.  Well, I am
not saying that cheating is not practical, instead I think that by using
this kind of cheat, the reproducibility becomes harder by design because
it lacks a fine control of the complete DAG.

This lead to the other point…

> I'm just wishing that this
> approach will work in the near future. So, please don't let anyone
> include it yet :)

…rewrite on the fly the DAG is cheap with Guix but build it is not. :-)

I agree that a similar feature as Conda where you can specify the Python
version and a list of Python library, yeah this feature would help
people from Conda in convincing them that Guix is more suitable.

However, for most of the scientific applications I know, the version of
Python is not really something pertinent – other said, that’s a fun
feature but useless in practise, IMHO, just a dumb collective practise
inherited from the poor Python ecosystem, and for sure it does not help
for reproducing the computational environment (end of my grumbles :-)).

Well, I do not know if the rebuild you are experimenting is avoidable or
desirable.  Maybe, it would be possible to cut the graph earlier or to
avoid to walk too deeply.  I do not know.


Cheers,
simon

Re: Using an alternative python to build python modules

[Simon Tournier]

Hi,

On Tue, 21 Feb 2023 at 22:10, Simon Tournier  wrote:

> It is about the Guile module system and sometime I am also puzzled why
> the @@ is not working as expected.

Probably because, quoting Tobias [1]:

could this be due to declarative modules? The definition's not
used anywhere else and *may* be inlined when Guile sees fit

1: 


Cheers,
simon

Re: Using an alternative python to build python modules

[Simon Tournier]

Hi,

On Tue, 21 Feb 2023 at 20:26, Kyle Andrews  wrote:
> ```
> repl> (define pwep (@@ (guix build-system python) 
> package-with-explicit-python))
> ice-9/boot-9.scm:1685:16: In procedure raise-exception:
> error: package-with-explicit-python: unbound variable
> ```

[...]

> There seems to be some secret Guile incantation I am overlooking. Could
> you give me a hint of what this could be?

It is about the Guile module system and sometime I am also puzzled why
the @@ is not working as expected.

Well, sorry I do not know and I cannot help.  Even, I would also like
having a clue about how to fix this annoyance.

Cheers,
simon