This commit prevents Guix substitute servers from distributing binaries which
are marked non-substitutable. This prevents substitute servers from
accidentally committing copyright violations by distributing binaries which are
non-substitutable for copyright reasons.
Change-Id: Iaca81f5bdb430a12a3ad41e9b83e0bcc535af607
---
guix/scripts/publish.scm | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/guix/scripts/publish.scm b/guix/scripts/publish.scm
index 6f993ef0d6..4650e4ef3a 100644
--- a/guix/scripts/publish.scm
+++ b/guix/scripts/publish.scm
@@ -61,6 +61,7 @@ (define-module (guix scripts publish)
#:use-module (guix cache)
#:use-module (guix ui)
#:use-module (guix scripts)
+ #:use-module (guix derivations)
#:use-module ((guix utils)
#:select (with-atomic-file-output compressed-file?))
#:use-module ((guix build utils)
@@ -693,11 +694,15 @@ (define* (bake-narinfo+nar cache item
(define* (render-nar store request store-item
#:key (compression %no-compression))
"Render archive of the store path corresponding to STORE-ITEM."
- (let ((store-path (string-append %store-directory "/" store-item)))
+ (let* ((store-path (string-append %store-directory "/" store-item))
+ (substitutable-store-item? (every substitutable-derivation?
+ (map read-derivation-from-file
+ (valid-derivers store
+ store-path)))))
;; The ISO-8859-1 charset *must* be used otherwise HTTP clients will
;; interpret the byte stream as UTF-8 and arbitrarily change invalid byte
;; sequences.
- (if (valid-path? store store-path)
+ (if (and substitutable-store-item? (valid-path? store store-path))
(values `((content-type . (application/x-nix-archive
(charset . "ISO-8859-1")))
(x-nar-compression . ,compression))
base-commit: 19c656e3cad3a4f1e3338a955a1af57e363545df
--
2.47.1
