GNU bug report logs - #55231
[PATCH v1] initrd: Allow extra search paths with ‘initrd-extra-module-paths’

Previous Next

Package: guix-patches;

Reported by: Brian Cully <bjc <at> spork.org>

Date: Mon, 2 May 2022 19:55:02 UTC

Severity: normal

Tags: moreinfo, patch

Full log

View this message in rfc822 format

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: 55231 <at> debbugs.gnu.org
Cc: Morgan Arnold <morgan.arnold <at> proton.me>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Brian Cully <bjc <at> spork.org>, Maxime Devos <maximedevos <at> telenet.be>, Kaelyn <kaelyn.alexi <at> protonmail.com>, Ludovic Courtès <ludo <at> gnu.org>, Morgan Arnold <morgan.arnold <at> proton.me>, Ian Eure <ian <at> retrospec.tv>, John Kehayias <john.kehayias <at> protonmail.com>, Leo Famulari <leo <at> famulari.name>, Felix Lechner <felix.lechner <at> lease-up.com>, Andreas Enge <andreas <at> enge.fr>, bjc <at> spork.org, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Christopher Baines <guix <at> cbaines.net>, Josselin Poiret <dev <at> jpoiret.xyz>, Mathieu Othacehe <othacehe <at> gnu.org>, Simon Tournier <zimon.toutoune <at> gmail.com>, Tobias Geerinckx-Rice <me <at> tobias.gr>
Subject: [bug#55231] [PATCH v6 4/4] Propagate non-substitutability of derivations.
Date: Sun, 16 Feb 2025 21:52:48 +0900

From: Morgan Arnold <morgan.arnold <at> proton.me>

This commit changes the conditions under which derivations, as
constructed by the `derivation' procedure, are made substitutable, to
prevent potential copyright violations related to the construction of
substitutable initrds including non-substitutable derivations (in
particular, ZFS).

This change prevents such copyright violations by only marking a derivation as
substitutable if it is itself marked substitutable along all of its inputs.
This means that non-substitutable derivations propagate to other derivations
using them as input.

Change-Id: I80ba4a371ee0c55a1294aff311d4e7b151055fac
Signed-off-by: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Modified-by: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
---
 guix/derivations.scm  | 53 +++++++++++++++++++++++--------------------
 tests/derivations.scm | 16 +++++++------
 2 files changed, 37 insertions(+), 32 deletions(-)

diff --git a/guix/derivations.scm b/guix/derivations.scm
index ffa69e924c..f4e7c56981 100644
--- a/guix/derivations.scm
+++ b/guix/derivations.scm
@@ -868,33 +868,36 @@ (define* (derivation store name builder args
                                env-vars)
                           #f)))))
 
-  (define (user+system-env-vars)
+  (define (user+system-env-vars inputs)
     ;; Some options are passed to the build daemon via the env. vars of
     ;; derivations (urgh!).  We hide that from our API, but here is the place
     ;; where we kludgify those options.
-    (let ((env-vars `(,@(if local-build?
-                            `(("preferLocalBuild" . "1"))
-                            '())
-                      ,@(if (not substitutable?)
-                            `(("allowSubstitutes" . "0"))
-                            '())
-                      ,@(if allowed-references
-                            `(("allowedReferences"
-                               . ,(string-join allowed-references)))
-                            '())
-                      ,@(if disallowed-references
-                            `(("disallowedReferences"
-                               . ,(string-join disallowed-references)))
-                            '())
-                      ,@(if leaked-env-vars
-                            `(("impureEnvVars"
-                               . ,(string-join leaked-env-vars)))
-                            '())
-                      ,@(match properties
-                          (() '())
-                          (lst `(("guix properties"
-                                  . ,(object->string properties)))))
-                      ,@env-vars)))
+    (let* ((substitutable-inputs? (every substitutable-derivation?
+                                         (map derivation-input-derivation
+                                              inputs)))
+           (env-vars `(,@(if local-build?
+                             `(("preferLocalBuild" . "1"))
+                             '())
+                       ,@(if (and substitutable? substitutable-inputs?)
+                             '()
+                             `(("allowSubstitutes" . "0")))
+                       ,@(if allowed-references
+                             `(("allowedReferences"
+                                . ,(string-join allowed-references)))
+                             '())
+                       ,@(if disallowed-references
+                             `(("disallowedReferences"
+                                . ,(string-join disallowed-references)))
+                             '())
+                       ,@(if leaked-env-vars
+                             `(("impureEnvVars"
+                                . ,(string-join leaked-env-vars)))
+                             '())
+                       ,@(match properties
+                           (() '())
+                           (lst `(("guix properties"
+                                   . ,(object->string properties)))))
+                       ,@env-vars)))
       (match references-graphs
         (((file . path) ...)
          (let ((value (map (cut string-append <> " " <>)
@@ -967,7 +970,7 @@ (define* (derivation store name builder args
                             (filter-map input->derivation-input inputs))
                            derivation-input<?))
          (env-vars   (sort (env-vars-with-empty-outputs
-                            (user+system-env-vars))
+                            (user+system-env-vars inputs))
                            (lambda (e1 e2)
                              (string<? (car e1) (car e2)))))
          (drv-masked (make-derivation outputs inputs sources
diff --git a/tests/derivations.scm b/tests/derivations.scm
index 72ea9aa9cc..c157128f39 100644
--- a/tests/derivations.scm
+++ b/tests/derivations.scm
@@ -1105,14 +1105,16 @@ (define %coreutils
         (let-values (((build download)
                       (derivation-build-plan store
                                              (list (derivation-input drv2)))))
-          ;; Although DRV2 is available as a substitute, we must build its
-          ;; dependency, DRV1, due to #:substitutable? #f.
-          (and (match download
-                 (((= substitutable-path item))
-                  (string=? item (derivation->output-path drv2))))
+          ;; DRV2 is *not* available as a substitute, since it has drv1 as
+          ;; input, and the non-substitutability is viral to avoid
+          ;; distributing non-substitutable items that could have become
+          ;; embedded, for example in an initrd.
+          (and (null? download)
                (match build
-                 (((= derivation-file-name build))
-                  (string=? build (derivation-file-name drv1))))))))))
+                 (((= derivation-file-name build1)
+                   (= derivation-file-name build2))
+                  (string=? build1 (derivation-file-name drv1))
+                  (string=? build2 (derivation-file-name drv2))))))))))
 
 (test-assert "derivation-build-plan and substitutes, local build"
   (with-store store
-- 
2.48.1
This bug report was last modified 72 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.