From df061d079b50111280aa7209b3b3c4cf21fde218 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
Date: Wed, 16 Mar 2016 10:35:24 +0100
Subject: [PATCH] build: Default to "https://mirror.hydra.gnu.org/" for
 substitutes.

* config-daemon.ac: Check for (gnutls) and define 'GUIX_SUBSTITUTE_URLS'.
* nix/nix-daemon/guix-daemon.cc (main): Use GUIX_SUBSTITUTE_URLS.
* guix/store.scm (%default-substitute-urls): Use 'https' when (gnutls)
is available.
* doc/guix.texi (Binary Installation): Mention mirrors
(Invoking guix-daemon): Mention mirror.hydra.gnu.org.
(Substitutes): Mention mirrors.
(Invoking guix archive): Show https URLs.
---
 config-daemon.ac              | 14 ++++++++++++++
 doc/guix.texi                 | 16 +++++++++-------
 guix/store.scm                |  8 ++++++--
 nix/nix-daemon/guix-daemon.cc |  4 ++--
 4 files changed, 31 insertions(+), 11 deletions(-)

diff --git a/config-daemon.ac b/config-daemon.ac
index c74ec94d31..63174d62c7 100644
--- a/config-daemon.ac
+++ b/config-daemon.ac
@@ -110,6 +110,20 @@ if test "x$guix_build_daemon" = "xyes"; then
   dnl Check for <linux/fs.h> (for immutable file support).
   AC_CHECK_HEADERS([linux/fs.h])
 
+  dnl Determine the appropriate default list of substitute URLs.
+  GUILE_MODULE_AVAILABLE([have_gnutls], [(gnutls)])
+  if test "x$have_gnutls" = "xyes"; then
+    guix_substitute_urls="https://mirror.hydra.gnu.org https://hydra.gnu.org"
+  else
+    AC_MSG_WARN([GnuTLS is missing, substitutes will be downloaded in the clear])
+    guix_substitute_urls="http://mirror.hydra.gnu.org http://hydra.gnu.org"
+  fi
+  AC_MSG_CHECKING([for default substitute URLs])
+  AC_MSG_RESULT([$guix_substitute_urls])
+
+  AC_DEFINE_UNQUOTED([GUIX_SUBSTITUTE_URLS], ["$guix_substitute_urls"],
+    [Default list of substitute URLs used by 'guix-daemon'.])
+
   dnl Check whether the 'offload' build hook can be built (uses
   dnl 'restore-file-set', which requires unbuffered custom binary input
   dnl ports from Guile >= 2.0.10.)
diff --git a/doc/guix.texi b/doc/guix.texi
index 438189fb34..05ce7858d5 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -448,8 +448,8 @@ Directories,,, texinfo, GNU Texinfo}, for more details on changing the
 Info search path.)
 
 @item
-To use substitutes from @code{hydra.gnu.org} (@pxref{Substitutes}),
-authorize them:
+To use substitutes from @code{hydra.gnu.org} or one of its mirrors
+(@pxref{Substitutes}), authorize them:
 
 @example
 # guix archive --authorize < ~root/.guix-profile/share/guix/hydra.gnu.org.pub
@@ -912,8 +912,9 @@ remote procedure call (@pxref{The Store}).
 @item --substitute-urls=@var{urls}
 @anchor{daemon-substitute-urls}
 Consider @var{urls} the default whitespace-separated list of substitute
-source URLs.  When this option is omitted, @indicateurl{http://hydra.gnu.org}
-is used.
+source URLs.  When this option is omitted,
+@indicateurl{https://mirror.hydra.gnu.org https://hydra.gnu.org} is used
+(@code{mirror.hydra.gnu.org} is a mirror of @code{hydra.gnu.org}).
 
 This means that substitutes may be downloaded from @var{urls}, as long
 as they are signed by a trusted signature (@pxref{Substitutes}).
@@ -1730,7 +1731,8 @@ your system has unpatched security vulnerabilities.
 
 @cindex security
 @cindex digital signatures
-To allow Guix to download substitutes from @code{hydra.gnu.org}, you
+To allow Guix to download substitutes from @code{hydra.gnu.org} or a
+mirror thereof, you
 must add its public key to the access control list (ACL) of archive
 imports, using the @command{guix archive} command (@pxref{Invoking guix
 archive}).  Doing so implies that you trust @code{hydra.gnu.org} to not
@@ -2199,7 +2201,7 @@ served by @code{hydra.gnu.org} to @file{/tmp/emacs}:
 
 @example
 $ wget -O - \
-  http://hydra.gnu.org/nar/@dots{}-emacs-24.5 \
+  https://hydra.gnu.org/nar/@dots{}-emacs-24.5 \
   | bunzip2 | guix archive -x /tmp/emacs
 @end example
 
@@ -4294,7 +4296,7 @@ but you are actually on an @code{x86_64} machine:
 
 @example
 $ guix build --log-file gdb -s mips64el-linux 
-http://hydra.gnu.org/log/@dots{}-gdb-7.10
+https://hydra.gnu.org/log/@dots{}-gdb-7.10
 @end example
 
 You can freely access a huge library of build logs!
diff --git a/guix/store.scm b/guix/store.scm
index 01248738dc..ae52628545 100644
--- a/guix/store.scm
+++ b/guix/store.scm
@@ -504,8 +504,12 @@ encoding conversion errors."
                               (status   k))))))))
 
 (define %default-substitute-urls
-  ;; Default list of substituters.
-  '("http://hydra.gnu.org"))
+  ;; Default list of substituters.  This is *not* the list used by
+  ;; 'guix-daemon', and few clients use it ('guix build --log-file' uses it.)
+  (map (if (false-if-exception (resolve-interface '(gnutls)))
+           (cut string-append "https://" <>)
+           (cut string-append "http://" <>))
+       '("hydra.gnu.org")))
 
 (define* (set-build-options server
                             #:key keep-failed? keep-going? fallback?
diff --git a/nix/nix-daemon/guix-daemon.cc b/nix/nix-daemon/guix-daemon.cc
index 20a0732fcb..d5d33a587a 100644
--- a/nix/nix-daemon/guix-daemon.cc
+++ b/nix/nix-daemon/guix-daemon.cc
@@ -1,5 +1,5 @@
 /* GNU Guix --- Functional package management for GNU
-   Copyright (C) 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+   Copyright (C) 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 
    This file is part of GNU Guix.
 
@@ -327,7 +327,7 @@ main (int argc, char *argv[])
       settings.set ("build-use-substitutes", "true");
 
       /* Use our substitute server by default.  */
-      settings.set ("substitute-urls", "http://hydra.gnu.org");
+      settings.set ("substitute-urls", GUIX_SUBSTITUTE_URLS);
 
 #ifdef HAVE_DAEMON_OFFLOAD_HOOK
       /* Use our build hook for distributed builds by default.  */