Mar 26, 2022, 19:33 by kias...@tutanota.com:
> Hi Simon,
>
> Mar 25, 2022, 22:54 by zimon.touto...@gmail.com:
>
>> Hi,
>>
>> On Fri, 25 Mar 2022 at 20:39, kias...@tutanota.com wrote:
>>
>>> ====the middle of guix build -f hardened.scm====
>>> building /gnu/store/1nlrgg5ryl486haw0kdqnbp4wa17lhwh-gcc-10.3.0.drv...
>>> Backtrace:
>>> In ice-9/eval.scm:
>>> 217:50 19 (lp (#<procedure 7ffff3fff5e0 at ice-9/eval.scm:282:?> ?))
>>> 217:50 18 (lp (#<procedure 7ffff3fff580 at ice-9/eval.scm:282:?> ?))
>>> 217:50 17 (lp (#<procedure 7ffff3fff4c0 at ice-9/eval.scm:649:?> ?))
>>> 217:50 16 (lp (#<procedure 7ffff3fff300 at ice-9/eval.scm:282:?> ?))
>>> 217:50 15 (lp (#<procedure 7ffff3fff2a0 at ice-9/eval.scm:649:?> ?))
>>> 217:50 14 (lp (#<procedure 7ffff3fff140 at ice-9/eval.scm:282:?> ?))
>>> 217:50 13 (lp (#<procedure 7ffff3fff120 at ice-9/eval.scm:282:?> ?))
>>> 217:50 12 (lp (#<procedure 7ffff3fff100 at ice-9/eval.scm:282:?> ?))
>>> 217:50 11 (lp (#<procedure 7ffff2c01f40 at ice-9/eval.scm:649:?> ?))
>>> 217:50 10 (lp (#<procedure 7ffff2c01f20 at ice-9/eval.scm:282:?> ?))
>>> 217:50 9 (lp (#<procedure 7ffff2c01f00 at ice-9/eval.scm:282:?> ?))
>>> 217:50 8 (lp (#<procedure 7ffff2c01ee0 at ice-9/eval.scm:282:?> ?))
>>> 217:50 7 (lp (#<procedure 7ffff2c01e80 at ice-9/eval.scm:649:?> ?))
>>> 217:50 6 (lp (#<procedure 7ffff2c01e60 at ice-9/eval.scm:282:?> ?))
>>> 217:50 5 (lp (#<procedure 7ffff2c20ed0 at ice-9/eval.scm:196:?> ?))
>>> 217:50 4 (lp (#<procedure 7ffff2c01d20 at ice-9/eval.scm:282:?> ?))
>>> 217:33 3 (lp (#<procedure 7ffff2c01b20 at ice-9/eval.scm:649:?> ?))
>>> 159:9 2 (_ #(#(#<directory (guile-user) 7ffff3fd7c80> #f) #f))
>>> 159:9 1 (_ #(#(#<directory (guile-user) 7ffff3fd7c80> #f) #f))
>>> In unknown file:
>>> 0 (string-append "LDFLAGS=" "-Wl,-rpath=" #f "/lib " "-W?" ?)
>>>
>>> ERROR: In procedure string-append:
>>> In procedure string-append: Wrong type (expecting string): #f
>>> builder for `/gnu/store/1nlrgg5ryl486haw0kdqnbp4wa17lhwh-gcc-10.3.0.drv'
>>> failed with exit code 1
>>> build of /gnu/store/1nlrgg5ryl486haw0kdqnbp4wa17lhwh-gcc-10.3.0.drv failed
>>> View build log at
>>> '/var/log/guix/drvs/1n/lrgg5ryl486haw0kdqnbp4wa17lhwh-gcc-10.3.0.drv.gz'.
>>> guix build: error: build of
>>> `/gnu/store/1nlrgg5ryl486haw0kdqnbp4wa17lhwh-gcc-10.3.0.drv' failed
>>> ====the middle of guix build -f hardened.scm====
>>>
Here's a smaller example that has the same error:
===the file===
(use-modules (gnu)
(guix)
(guix packages))
(use-package-modules gcc base commencement)
(package-with-c-toolchain gcc `(("toolchain" ,(make-gcc-toolchain gcc))))
===the file===
===try to build it===
In unknown file:
0 (string-append "LDFLAGS=" "-Wl,-rpath=" #f "/lib " "-W?" ?)
ERROR: In procedure string-append:
In procedure string-append: Wrong type (expecting string): #f
===try to build it===
The gcc package already exists! Why can't I build gcc with itself?
>> You are creating a cycle, no? It is not a DAG and so the transformation
>> fails, no?
>>
> Oh I didn't notice that. The example makes sense too.
>
>> For instance, this:
>>
>> --8<---------------cut here---------------start------------->8---
>> (use-modules (guix packages)
>> (gnu packages gcc)
>> (gnu packages base))
>>
>> (define make-gcc-toolchain
>> (@@ (gnu packages commencement) make-gcc-toolchain))
>>
>> (define gcc-bis
>> (package
>> (inherit gcc)
>> (version (string-append (package-version gcc) "-bis"))))
>>
>> (define gcc-toolchain-bis
>> (make-gcc-toolchain gcc-bis glibc))
>>
>> (define (package-with-c-toolchain-bis package)
>> (package-with-c-toolchain
>> package `(("toolchain" ,gcc-toolchain-bis))))
>>
>>
>> (package-with-c-toolchain-bis gcc-bis)
>> --8<---------------cut here---------------end--------------->8---
>>
>> fails with the same message. There is bootstrapping issue: the binary
>> of gcc-bis is required to compile the source of gcc-bis; where does come
>> from such binary of gcc-bis?
>>
>>
>> Considering your use case, you need:
>>
>> - gcc considered as binary seed
>>
>> - use this binary gcc with the hardened options to compile the source
>> of GCC; resulting to the binary gcc-hardened-1
>>
>> - use this binary gcc-hardened-2 with the hardened options to recompile
>> the source of GCC; resulting to the binary gcc-hardened-2
>>
>> - if checksum(gcc-hardened-1) == checksum(gcc-hardened-2)
>> then use this binary to define a new toolchain
>> else reach the fixed point
>>
>> fixed point: use this binary gcc-hardened-{n-1} to compile the source of
>> GCC and output the binary gcc-hardened-{n}; compare the checksum of
>> the binary {n-1} and {n} and repeat until equality is reached.
>>
> Just so I understand, in other (imperative) words:
>
> gcc-hardened-1 = gcc-hardened built with regular gcc
> gcc-hardened-2 = gcc-hardened built with gcc-hardened-1
> n = 1
> while checksum(gcc-hardened-{n}) != checksum(gcc-hardened-{n+1}):
> gcc-hardened-{n+1} = gcc-hardened built with gcc-hardened-{n}
> n++
> define the new toolchain with gcc-hardened-{n+1}
>
>
>> Guix is not auto-magically resolving the fixed-point, i.e., it does not
>> unroll the cycle by magic. :-) You have to do it manually or write code
>> for automatise the process; described above.
>>
> Thanks, are there any examples in the code base that would be a good
> reference?
>
>>
>> Hope that helps.
>>
>> Cheers,
>> simon
>>
>
>
