GNU bug report logs - #41602
texlive is actually substitutable

Previous Next

Full log

Message #39 received at 41602 <at> debbugs.gnu.org (full text, mbox):

From: Morgan Arnold <morgan.arnold <at> proton.me>
To: 41602 <at> debbugs.gnu.org
Cc: Morgan Arnold <morgan.arnold <at> proton.me>
Subject: [PATCH v1] Prevent publication of non-substitutable derivation outputs
Date: Mon, 24 Feb 2025 19:03:07 +0000

This commit prevents Guix substitute servers from distributing binaries which are marked non-substitutable. This prevents substitute servers from accidentally committing copyright violations by distributing binaries which are non-substitutable for copyright reasons.

Change-Id: Iaca81f5bdb430a12a3ad41e9b83e0bcc535af607
---
 guix/scripts/publish.scm | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/guix/scripts/publish.scm b/guix/scripts/publish.scm
index a000c559a7..fc8b007d36 100644
--- a/guix/scripts/publish.scm
+++ b/guix/scripts/publish.scm
@@ -61,6 +61,7 @@ (define-module (guix scripts publish)
   #:use-module (guix cache)
   #:use-module (guix ui)
   #:use-module (guix scripts)
+  #:use-module (guix derivations)
   #:use-module ((guix utils)
                 #:select (with-atomic-file-output compressed-file?))
   #:use-module ((guix build utils)
@@ -696,11 +697,14 @@ (define* (bake-narinfo+nar cache item
 (define* (render-nar store request store-item
                      #:key (compression %no-compression))
   "Render archive of the store path corresponding to STORE-ITEM."
-  (let ((store-path (string-append %store-directory "/" store-item)))
+  (let* ((store-path (string-append %store-directory "/" store-item))
+         (substitutable-store-item? (every substitutable-derivation?
+                                           (map read-derivation-from-file
+                                                (valid-derivers store-path)))))
     ;; The ISO-8859-1 charset *must* be used otherwise HTTP clients will
     ;; interpret the byte stream as UTF-8 and arbitrarily change invalid byte
     ;; sequences.
-    (if (valid-path? store store-path)
+    (if ((and substitutable-store-item? valid-path?) store store-path)
         (values `((content-type . (application/x-nix-archive
                                    (charset . "ISO-8859-1")))
                   (x-nar-compression . ,compression))

base-commit: 23b068c036223e70bdea9d7d579850a1cffc02a7
-- 
2.47.1

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.