GNU bug report logs - #28659
Content-addressed mirror is not used upon invalid hash

Previous Next

Package: guix;

Reported by: Jan Nieuwenhuizen <janneke <at> gnu.org>

Date: Sun, 1 Oct 2017 10:17:02 UTC

Severity: important

Merged with 70588

Full log

View this message in rfc822 format

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: Ludovic Courtès <ludo <at> gnu.org>, 28659 <at> debbugs.gnu.org
Subject: bug#28659: v0.13: guix pull fails; libgit2-0.26.0 and 0.25.1 content hashes fail
Date: Wed, 04 Oct 2017 00:22:34 -0400

[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> On Mon, Oct 02, 2017 at 06:47:06PM -0400, Maxim Cournoyer wrote:
>> Leo Famulari <leo <at> famulari.name> writes:
>> > I wonder, are there really that many affected packages?
>> 
>> There's a list here:
>> https://github.com/Homebrew/homebrew-core/issues/18044, compiled by one
>> of the homebrew project's maintainers.
>
> I meant, how many Guix packages use the auto-generated GitHub snapshots?
>
> I believe the tell-tale sign is that the download link will have the
> link text 'Source code', as for this release:
>
> https://github.com/libgit2/libgit2/releases/tag/v0.26.0

The following script:

[Message part 2 (text/plain, inline)]
;;; A script to find packages possibly affected by GitHub
;;; infrastructure update that caused minor changes in the
;;; automatically generated tarballs.

(use-modules (ice-9 match)
	     (gnu packages)
	     (guix download)
	     (guix packages))

(define (problematic-uri? uri)

  (define (contains-github-archive? uri)
    (string-match "github.com/.*/archive/" uri))

  ;; URI can be a string or a list of string.
  (match uri
    ((uri1 uri2 ...)			;match list of strings
     (filter contains-github-archive? uri))
    (uri1				;match string
     (contains-github-archive? uri1))))

(define (problematic-github-package? package)
  (let ((source (package-source package)))
    (and (origin? source)
	 (eq? (origin-method source) url-fetch)
	 (problematic-uri? (origin-uri source)))))

(define (problematic-github-packages)
  "List of all the potentially problematic GitHub packages."
  (fold-packages (lambda (p r)
		   (if (problematic-github-package? p)
		       (cons p r)
		       r))
		 '()))
(define (main)
  "Find and print the names of the potentially problematic GitHub packages."
  (let ((packages (problematic-github-packages)))
    (format #t "Number of potentially problematic GitHub packages:~a~%"
	    (length packages))
    (for-each (lambda (p)
		(format #t "~a~%" (package-name p)))
	      packages)))

;;; Run the program.
(main)

[Message part 3 (text/plain, inline)]
outputs that there could be up to 1011 affected packages.

The scripts checks for a url-fetch uri of the form
"github.com/.*/archive/", which seems to be the one used for the
dynamically generated archives.

Here are the first 10 lines of the output:
--8<---------------cut here---------------start------------->8---
Number of potentially problematic GitHub packages:1011
fdupes
cbatticon
sedsed
cpulimit
autojump
sudo
thermald
progress
dstat
[...]
--8<---------------cut here---------------end--------------->8---

I've checked the first few with for example:
--8<---------------cut here---------------start------------->8---
guix build --source --no-substitutes sedsed
--8<---------------cut here---------------end--------------->8---

and they were OK though.

Maxim
This bug report was last modified 1 year and 42 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.