GNU bug report logs - #41796
Grafts don't handle outputs other than out

Previous Next

Package: guix;

Reported by: Jakub Kądziołka <kuba <at> kadziolka.net>

Date: Wed, 10 Jun 2020 22:33:01 UTC

Severity: important

Tags: security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #12 received at 41796 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Jakub Kądziołka <kuba <at> kadziolka.net>
Cc: 41796 <at> debbugs.gnu.org
Subject: Re: bug#41796: Grafts don't handle outputs other than out
Date: Thu, 11 Jun 2020 18:46:09 +0200

Hi!

I’m trying to estimate the impact of this bug.  As of
a50628bbe0fa4ba3835e311098e4fdf7a1d8a29e, there seems to be only one
package whose replacement could end up not being grafted (here I’m
omitting outputs that, if left ungrafted, won’t affect security):

--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> (fold-packages (lambda (p result)
				      (if (and (package-replacement p)
					       (> (length (fold delete (package-outputs p) '("debug" "doc" "static"))) 1))
					  (cons p result)
					  result))
				    '())
$11 = (#<package nss <at> 3.50 gnu/packages/nss.scm:73 7f88caa62e60>)
--8<---------------cut here---------------end--------------->8---

This is because of the “bin” output of ‘nss’.

From a quick grep, there 3 packages depending on nss:bin: 389-ds-base,
libcacard, and xmlsec-nss.

389-ds-base is affected: it keeps a reference to the ungrafted “bin”:

--8<---------------cut here---------------start------------->8---
$ guix gc --references $(guix build 389-ds-base --no-grafts) |grep nss-
/gnu/store/gfpgqvwrixhf3sf1bnzsfxzvld0nd8b7-nss-3.50
/gnu/store/vvsa5q0g790wi97zadj5qklqpiw1fqc1-nss-3.50-bin
$ guix gc --references $(guix build 389-ds-base) |grep nss-
/gnu/store/588jh89ng8f7ks4wsay6mdm4dxapk2d6-nss-3.50
/gnu/store/vvsa5q0g790wi97zadj5qklqpiw1fqc1-nss-3.50-bin
--8<---------------cut here---------------end--------------->8---

The other two are fine:

--8<---------------cut here---------------start------------->8---
$ guix gc --references $(guix build libcacard --no-grafts) |grep nss-
/gnu/store/gfpgqvwrixhf3sf1bnzsfxzvld0nd8b7-nss-3.50
$ guix gc --references $(guix build libcacard) |grep nss-
/gnu/store/588jh89ng8f7ks4wsay6mdm4dxapk2d6-nss-3.50
$ guix gc --references $(guix build xmlsec-nss --no-grafts) |grep nss-
/gnu/store/fwb0adczsx3nqsdnj92xnv85n93qa17n-xmlsec-nss-1.2.30
/gnu/store/gfpgqvwrixhf3sf1bnzsfxzvld0nd8b7-nss-3.50
$ guix gc --references $(guix build xmlsec-nss ) |grep nss-
/gnu/store/2gzk5rfg86zyxk8d9z6b7x0xkwar95cj-xmlsec-nss-1.2.30
/gnu/store/588jh89ng8f7ks4wsay6mdm4dxapk2d6-nss-3.50
--8<---------------cut here---------------end--------------->8---

Ludo’.
This bug report was last modified 4 years and 342 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.