bug#41602: [PATCH v3] Prevent publication of non-substitutable derivation outputs
This commit prevents Guix substitute servers from distributing binaries which are marked non-substitutable. This prevents substitute servers from accidentally committing copyright violations by distributing binaries which are non-substitutable for copyright reasons. Change-Id: Iaca81f5bdb430a12a3ad41e9b83e0bcc535af607 --- guix/scripts/publish.scm | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/guix/scripts/publish.scm b/guix/scripts/publish.scm index 6f993ef0d6..4650e4ef3a 100644 --- a/guix/scripts/publish.scm +++ b/guix/scripts/publish.scm @@ -61,6 +61,7 @@ (define-module (guix scripts publish) #:use-module (guix cache) #:use-module (guix ui) #:use-module (guix scripts) + #:use-module (guix derivations) #:use-module ((guix utils) #:select (with-atomic-file-output compressed-file?)) #:use-module ((guix build utils) @@ -693,11 +694,15 @@ (define* (bake-narinfo+nar cache item (define* (render-nar store request store-item #:key (compression %no-compression)) "Render archive of the store path corresponding to STORE-ITEM." - (let ((store-path (string-append %store-directory "/" store-item))) + (let* ((store-path (string-append %store-directory "/" store-item)) + (substitutable-store-item? (every substitutable-derivation? + (map read-derivation-from-file +(valid-derivers store +store-path) ;; The ISO-8859-1 charset *must* be used otherwise HTTP clients will ;; interpret the byte stream as UTF-8 and arbitrarily change invalid byte ;; sequences. -(if (valid-path? store store-path) +(if (and substitutable-store-item? (valid-path? store store-path)) (values `((content-type . (application/x-nix-archive (charset . "ISO-8859-1"))) (x-nar-compression . ,compression)) base-commit: 19c656e3cad3a4f1e3338a955a1af57e363545df -- 2.47.1
bug#41602: [PATCH v2] Prevent publication of non-substitutable derivation outputs
Hi Liliana, Thanks! What a dumb mistake on my part. I tried to test the changes on my machine, but `guix publish` seems to just crash. I reverted my changes to double-check, and the version in `master` also crashes on my machine, so I'm afraid that I wasn't able to test the changes. I've sent a new version. Best, Morgan
bug#76343: shepherd 1.0.2 --help: warning: call to environ while multiple threads are running; further behavior unspecified.
Simon Josefsson skribis: > Ludovic Courtès writes: > >> Hi, >> >> Simon Josefsson skribis: >> >>> A shephard-specific patch would be the simplest at this point, I think. >>> >>> Do you have some idea how to do that? I agree it seems like a Debian- >>> specific patch for now. >> >> The patch below appears to do the trick. I guess I could just as well >> integrate it in the next 1.0.x bug-release. >> >> Does it work for you? > > It does, yes! Excellent. :-) Pushed in the Shepherd as 8e951de13120729907c527d4a420b579aec944f4. Thanks! Ludo’.
bug#76790: [Shepherd] Handling process termination before service is running
While on a quest for flaky tests in the Shepherd, I found a genuine bug
that would manifest with this ‘tests/basic.sh’ failure:
--8<---cut here---start->8---
+ herd -s t-socket-21679 status test-run-from-nonexistent-directory
+ sleep 0.5
+ herd -s t-socket-21679 status test-run-from-nonexistent-directory
+ grep 'exited with code 127'
+ sleep 0.5
+ herd -s t-socket-21679 status test-run-from-nonexistent-directory
+ grep 'exited with code 127'
[…]
2025-03-06 14:06:36 Service test-run-from-nonexistent-directory started.
2025-03-06 14:06:36 Failed to run
"/gnu/store/3bg5qfsmjw6p7bh1xadarbaq246zis0d-coreutils-9.1/bin/pwd": In
procedure chdir: No such file or directory
2025-03-06 14:06:36 Service test-run-from-nonexistent-directory running with
value #< id: 22431 command:
("/gnu/store/3bg5qfsmjw6p7bh1xadarbaq246zis0d-coreutils-9.1/bin/pwd")>.
2025-03-06 14:06:36 Service test-run-from-nonexistent-directory has been
started.
2025-03-06 14:06:36 Service test-run-from-nonexistent-directory has been
disabled.
2025-03-06 14:11:51 Stopping service root...
--8<---cut here---end--->8---
What happens is that the service is not marked as “exited with code
127”; instead, it is marked as having exited with code 0:
--8<---cut here---start->8---
● Status of test-run-from-nonexistent-directory:
It is stopped since 14:06:36 (37 seconds ago).
Process exited successfully.
It is disabled.
Provides: test-run-from-nonexistent-directory
Will not be respawned.
--8<---cut here---end--->8---
This is due to a race condition: the process terminates before its
service goes from ‘starting’ to ‘running’.
By the time the service controller calls ‘monitor-service-process’, the
process has already terminated, so the process monitor replies 0 to the
'await request because that process no longer exists.
Attached is a test that reproduces the problem.
Ludo’.
# GNU Shepherd --- Handling termination of a process before 'start' completes.
# Copyright © 2025 Ludovic Courtès
#
# This file is part of the GNU Shepherd.
#
# The GNU Shepherd is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# The GNU Shepherd is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with the GNU Shepherd. If not, see
bug#46905: Add a note about ext4's dir_index to the manual
Hi, can we close this issue or is there something we should document? -- Ricardo
