GNU bug report logs - #28749
guix build --subsitute-urls does not override guix-daemon run with --no-subsitutes

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28749 in the body.
You can then email your comments to 28749 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Drashne <drashne <at> protonmail.com>
To: "bug-guix <at> gnu.org" <bug-guix <at> gnu.org>
Subject: guix build --subsitute-urls does not override guix-daemon run with
 --no-subsitutes
Date: Sun, 08 Oct 2017 13:13:16 -0400

[Message part 1 (text/plain, inline)]

From the kind people on #guix, I've heard that "guix build --subsitute-urls" should override "guix-daemon --no-subsitutes", but it seems it's not doing so for me.

Here's the situation I ran in to:

While doing a "./pre-inst-env guix pull" I got an error about:

  output path `/gnu/store/53lj4z9cavl7n27r89zjnvyd8fk854kj-libgit2-0.26.0.tar.gz' should have sha256 hash `1fdk9yhwvl1w1z71ykzcvgh4nsf8scxcbclz5anh98zpplmhmisa', instead has `
1b3figbhp5l83vd37vq6j2narrq4yl9pfw6mw0px0dzb1hz3jqka'

So I tried "./pre-inst-env guix build --source libgit2 --substitute-urls=[https://mirror.hydra.gnu.org"](https://mirror.hydra.gnu.org)
but it redirected me to https://codeload.github.com/libgit2/libgit2/tar.gz/v0.26.0
which had the wrong hash.

Attached is the full log of that failed attempt.  This was done while guix-daemon was run with the --no-subsitutes option.

Then I killed guix-daemon and restarted it without --no-subsitutes, and did the same thing and it worked (log of the success also attached).

[Message part 2 (text/html, inline)]

[libgit2-substitute-failed-while-guix-daemon-run-with-no-substitutes.txt (text/plain, attachment)]

[libgit2-substitute-succeeded-while-guix-daemon-run-without-no-substitutes.txt (text/plain, attachment)]

Message #10 received at 28749-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Drashne <drashne <at> protonmail.com>
Cc: 28749-done <at> debbugs.gnu.org
Subject: Re: bug#28749: guix build --subsitute-urls does not override
 guix-daemon run with --no-subsitutes
Date: Mon, 9 Oct 2017 15:20:34 -0400

[Message part 1 (text/plain, inline)]

On Sun, Oct 08, 2017 at 01:13:16PM -0400, Drashne wrote:
> From the kind people on #guix, I've heard that "guix build
> --subsitute-urls" should override "guix-daemon --no-subsitutes", but
> it seems it's not doing so for me.

The documentation of guix-daemon [0] says this on the subject:

"When the daemon runs with --no-substitutes, clients can still
explicitly enable substitution via the set-build-options remote
procedure call (see The Store)."

So, there is a way for unprivileged users to enable substitution for
themselves even when the local administrator has disabled substitution,
but it's not via the --substitute-urls mechanism.

I'm closing this bug because I think it's mostly a case of having
received mistaken advice on #guix.

[0]
https://www.gnu.org/software/guix/manual/html_node/Invoking-guix_002ddaemon.html#Invoking-guix_002ddaemon

> Here's the situation I ran in to:
> 
> While doing a "./pre-inst-env guix pull" I got an error about:
> 
>   output path `/gnu/store/53lj4z9cavl7n27r89zjnvyd8fk854kj-libgit2-0.26.0.tar.gz' should have sha256 hash `1fdk9yhwvl1w1z71ykzcvgh4nsf8scxcbclz5anh98zpplmhmisa', instead has `
> 1b3figbhp5l83vd37vq6j2narrq4yl9pfw6mw0px0dzb1hz3jqka'
> 
> So I tried "./pre-inst-env guix build --source libgit2 --substitute-urls=[https://mirror.hydra.gnu.org"](https://mirror.hydra.gnu.org)
> but it redirected me to https://codeload.github.com/libgit2/libgit2/tar.gz/v0.26.0
> which had the wrong hash.

We are discussing how to handle unstable upstream sources more
gracefully here:

https://bugs.gnu.org/28659

[signature.asc (application/pgp-signature, inline)]

Message #13 received at 28749 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: 28749 <at> debbugs.gnu.org
Cc: drashne <at> protonmail.com, leo <at> famulari.name
Subject: Re: bug#28749: guix build --subsitute-urls does not override
 guix-daemon run with --no-subsitutes
Date: Fri, 13 Oct 2017 09:59:18 -0400

Leo Famulari <leo <at> famulari.name> writes:

> On Sun, Oct 08, 2017 at 01:13:16PM -0400, Drashne wrote:
>> From the kind people on #guix, I've heard that "guix build
>> --subsitute-urls" should override "guix-daemon --no-subsitutes", but
>> it seems it's not doing so for me.
>
> The documentation of guix-daemon [0] says this on the subject:
>
> "When the daemon runs with --no-substitutes, clients can still
> explicitly enable substitution via the set-build-options remote
> procedure call (see The Store)."
>
> So, there is a way for unprivileged users to enable substitution for
> themselves even when the local administrator has disabled substitution,
> but it's not via the --substitute-urls mechanism.
>
> I'm closing this bug because I think it's mostly a case of having
> received mistaken advice on #guix.

Eh, I'm sorry I was the one suggesting to open this bug report in the
first place!

Although, I would argue that the current behavior is
non-intuitive. While true that the manual skim about how one can achieve
this, the reference to "The Store" is not helpful; it doesn't even
mention the "set-build-options" procedure. Also, leaving the command
line to plug directly into Guix's API from Guile is inconvenient at best.

It seems to me that the current behavior of other options that affect
the guix-daemon operation are that user options override the
corresponding guix-daemon defaults; maybe that's what lead me and others
to think that --substitute-urls should attempt to do what the user
desires?

Otherwise, we could at least give advice on the output of a Guix command
when the user passed --substitute-urls when the guix-daemon substitutes
were disabled to make this clear(er).

My 2 cents,

Maxim

Message #16 received at 28749 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: drashne <at> protonmail.com, 28749 <at> debbugs.gnu.org
Subject: Re: bug#28749: guix build --subsitute-urls does not override
 guix-daemon run with --no-subsitutes
Date: Fri, 13 Oct 2017 17:54:30 -0400

[Message part 1 (text/plain, inline)]

On Fri, Oct 13, 2017 at 09:59:18AM -0400, Maxim Cournoyer wrote:
> Although, I would argue that the current behavior is
> non-intuitive. While true that the manual skim about how one can achieve
> this, the reference to "The Store" is not helpful; it doesn't even
> mention the "set-build-options" procedure. Also, leaving the command
> line to plug directly into Guix's API from Guile is inconvenient at best.
> 
> It seems to me that the current behavior of other options that affect
> the guix-daemon operation are that user options override the
> corresponding guix-daemon defaults; maybe that's what lead me and others
> to think that --substitute-urls should attempt to do what the user
> desires?

Yeah, maybe it should be changed to be consistent with the behavior of
the other options.

> Otherwise, we could at least give advice on the output of a Guix command
> when the user passed --substitute-urls when the guix-daemon substitutes
> were disabled to make this clear(er).

Agreed, we should at least do that.

[signature.asc (application/pgp-signature, inline)]

Message #19 received at 28749 <at> debbugs.gnu.org (full text, mbox):

From: Ricardo Wurmus <rekado <at> elephly.net>
To: Leo Famulari <leo <at> famulari.name>
Cc: drashne <at> protonmail.com, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>,
 28749 <at> debbugs.gnu.org
Subject: Re: bug#28749: guix build --subsitute-urls does not override
 guix-daemon run with --no-subsitutes
Date: Sat, 14 Oct 2017 15:23:45 +0200

Leo Famulari <leo <at> famulari.name> writes:

> On Fri, Oct 13, 2017 at 09:59:18AM -0400, Maxim Cournoyer wrote:
>> Although, I would argue that the current behavior is
>> non-intuitive. While true that the manual skim about how one can achieve
>> this, the reference to "The Store" is not helpful; it doesn't even
>> mention the "set-build-options" procedure. Also, leaving the command
>> line to plug directly into Guix's API from Guile is inconvenient at best.
>>
>> It seems to me that the current behavior of other options that affect
>> the guix-daemon operation are that user options override the
>> corresponding guix-daemon defaults; maybe that's what lead me and others
>> to think that --substitute-urls should attempt to do what the user
>> desires?
>
> Yeah, maybe it should be changed to be consistent with the behavior of
> the other options.

I don’t know.  Substitute sources have to authorized before downloaded
substitutes are accepted by the daemon.  This authorization happens as
the root user, as it constitutes a system-wide change.

When the daemon is run by the root user to disable substitutes
system-wide, maybe we should not let users override that decision, just
like we don’t let them override from what server binaries are to be
accepted.

I’m not convinced by the reasoning above, but I’d like to offer this
thought for consideration anyway.

>> Otherwise, we could at least give advice on the output of a Guix command
>> when the user passed --substitute-urls when the guix-daemon substitutes
>> were disabled to make this clear(er).
>
> Agreed, we should at least do that.

Yes, this is a good idea.

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net

Message #22 received at 28749 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ricardo Wurmus <rekado <at> elephly.net>
Cc: drashne <at> protonmail.com, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>,
 28749 <at> debbugs.gnu.org
Subject: Re: bug#28749: guix build --subsitute-urls does not override
 guix-daemon run with --no-subsitutes
Date: Sat, 14 Oct 2017 12:41:56 -0400

[Message part 1 (text/plain, inline)]

On Sat, Oct 14, 2017 at 03:23:45PM +0200, Ricardo Wurmus wrote:
> I don’t know.  Substitute sources have to authorized before downloaded
> substitutes are accepted by the daemon.  This authorization happens as
> the root user, as it constitutes a system-wide change.

I was thinking of situations where the subsitute signing key is
authorized, but substitutes are disabled system-wide.

I don't have a use case for this configuration but, to me, it doesn't
seem far-fetched for multi-user systems. Maybe the administrator is
willing to let users trust substitutes, but doesn't want to do it for
the privileged Guix installation.

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.