GNU bug report logs - #17122
More problems with --no-substitutes

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Mark H Weaver <mhw <at> netris.org>
Subject: bug#17122: closed (Re: bug#17122: More problems with
 --no-substitutes)
Date: Mon, 31 Mar 2014 23:01:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#17122: More problems with --no-substitutes

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 17122 <at> debbugs.gnu.org.

-- 
17122: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=17122
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Mark H Weaver <mhw <at> netris.org>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: 17122-done <at> debbugs.gnu.org
Subject: Re: bug#17122: More problems with --no-substitutes
Date: Mon, 31 Mar 2014 18:59:22 -0400

ludo <at> gnu.org (Ludovic Courtès) writes:

> Mark H Weaver <mhw <at> netris.org> skribis:
>
>> What disturbs me the most is that 'substitute-binary' is being called at
>> all.  I'm 100% certain that I passed '--no-substitutes' to guix-daemon.
>> I use a script to start guix-daemon with the options I prefer, to avoid
>> mistakes.  I also just checked with 'ps', and indeed '--no-substitutes'
>> is there on the command line.
>
> Can you check with current master?  (See in particular commits 968e84a
> and c9e2b0b.)  Does tests/guix-daemon.sh pass?

Yes, it does.

I also hacked 'guix-substitute-binary' to unconditionally raise an error
as soon as it is called (a local patch I intend to keep indefinitely).

Before your recent commits, 'guix-substitute-binary' was always being
called by 'guix build' (unless --no-substitutes was passed to it), but
that seems to be fixed now.  Thanks.

>> I'm surprised and concerned that we seem to be having so much trouble
>> making '--no-substitutes' work reliably.  How hard can it be?
>
> The issue is that guix-daemon.cc glues into Nix’s code, and Nix changed
> the way it handles substituter settings in the last update.

Ah, okay.  I wish this wasn't so fragile, but the new test case you
added helps, as does my hack to raise an error if the substituter is
called, which will immediately alert me to any similar problems in the
future.

> Specifically, in Nix commit dcaea042, the Settings::update method is
> made to re-read $NIX_SUBSTITUTERS:
> <https://github.com/NixOS/nix/commit/dcaea042fc895667bf6f529471ff9f449629774c>;
> then in Guix commit 89faa5c I adjusted guix-daemon.cc accordingly, but
> inadvertently removed the ‘if’ branch that clears the substituter list.
>
> Commit c9e2b0b augments tests/guix-daemon.sh to test guix-daemon
> --no-substitutes.

Thanks very much!  I'm closing this bug now.

     Mark

[Message part 3 (message/rfc822, inline)]

From: Mark H Weaver <mhw <at> netris.org>
To: bug-guix <at> gnu.org
Subject: More problems with --no-substitutes
Date: Thu, 27 Mar 2014 12:12:30 -0400

This just happened to me on core-updates, on my YeeLoong:

--8<---------------cut here---------------start------------->8---
mhw:~/guix-core-updates$ ./pre-inst-env guix build -S expect lua zip pth bazaar ocaml
substitute-binary: Backtrace:
substitute-binary: In ice-9/boot-9.scm:
substitute-binary:  157: 0 [catch #t #<catch-closure 107fb4f0> ...]
substitute-binary: 
substitute-binary: ice-9/boot-9.scm:157:17: In procedure catch:
substitute-binary: ice-9/boot-9.scm:157:17: In procedure system-async-mark: thread has already exited
  C-c C-c
--8<---------------cut here---------------end--------------->8---

No doubt, the "system-async-mark: thread has already exited" is a
problem, but that's not what bothers me.

What disturbs me the most is that 'substitute-binary' is being called at
all.  I'm 100% certain that I passed '--no-substitutes' to guix-daemon.
I use a script to start guix-daemon with the options I prefer, to avoid
mistakes.  I also just checked with 'ps', and indeed '--no-substitutes'
is there on the command line.

It's very important to me to trust that guix-daemon will not accept
binaries from the internet, even if there's a man-in-the-middle that
pretends to be hydra.gnu.org with mips64el binaries for me.

I'm surprised and concerned that we seem to be having so much trouble
making '--no-substitutes' work reliably.  How hard can it be?

Until we get this straightened out, what's the most reliable way for me
to hack the code to ensure that substitutes cannot work, ever?

     Mark

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.