Package: guix-patches;
Reported by: Brian Cully <bjc <at> spork.org>
Date: Mon, 2 May 2022 19:55:02 UTC
Severity: normal
Tags: moreinfo, patch
Message #215 received at 55231 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 55231 <at> debbugs.gnu.org Cc: Morgan Arnold <morgan.arnold <at> proton.me>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH v6 4/4] Propagate non-substitutability of derivations. Date: Sun, 16 Feb 2025 21:52:48 +0900
From: Morgan Arnold <morgan.arnold <at> proton.me>
This commit changes the conditions under which derivations, as
constructed by the `derivation' procedure, are made substitutable, to
prevent potential copyright violations related to the construction of
substitutable initrds including non-substitutable derivations (in
particular, ZFS).
This change prevents such copyright violations by only marking a derivation as
substitutable if it is itself marked substitutable along all of its inputs.
This means that non-substitutable derivations propagate to other derivations
using them as input.
Change-Id: I80ba4a371ee0c55a1294aff311d4e7b151055fac
Signed-off-by: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Modified-by: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
---
guix/derivations.scm | 53 +++++++++++++++++++++++--------------------
tests/derivations.scm | 16 +++++++------
2 files changed, 37 insertions(+), 32 deletions(-)
diff --git a/guix/derivations.scm b/guix/derivations.scm
index ffa69e924c..f4e7c56981 100644
--- a/guix/derivations.scm
+++ b/guix/derivations.scm
@@ -868,33 +868,36 @@ (define* (derivation store name builder args
env-vars)
#f)))))
- (define (user+system-env-vars)
+ (define (user+system-env-vars inputs)
;; Some options are passed to the build daemon via the env. vars of
;; derivations (urgh!). We hide that from our API, but here is the place
;; where we kludgify those options.
- (let ((env-vars `(,@(if local-build?
- `(("preferLocalBuild" . "1"))
- '())
- ,@(if (not substitutable?)
- `(("allowSubstitutes" . "0"))
- '())
- ,@(if allowed-references
- `(("allowedReferences"
- . ,(string-join allowed-references)))
- '())
- ,@(if disallowed-references
- `(("disallowedReferences"
- . ,(string-join disallowed-references)))
- '())
- ,@(if leaked-env-vars
- `(("impureEnvVars"
- . ,(string-join leaked-env-vars)))
- '())
- ,@(match properties
- (() '())
- (lst `(("guix properties"
- . ,(object->string properties)))))
- ,@env-vars)))
+ (let* ((substitutable-inputs? (every substitutable-derivation?
+ (map derivation-input-derivation
+ inputs)))
+ (env-vars `(,@(if local-build?
+ `(("preferLocalBuild" . "1"))
+ '())
+ ,@(if (and substitutable? substitutable-inputs?)
+ '()
+ `(("allowSubstitutes" . "0")))
+ ,@(if allowed-references
+ `(("allowedReferences"
+ . ,(string-join allowed-references)))
+ '())
+ ,@(if disallowed-references
+ `(("disallowedReferences"
+ . ,(string-join disallowed-references)))
+ '())
+ ,@(if leaked-env-vars
+ `(("impureEnvVars"
+ . ,(string-join leaked-env-vars)))
+ '())
+ ,@(match properties
+ (() '())
+ (lst `(("guix properties"
+ . ,(object->string properties)))))
+ ,@env-vars)))
(match references-graphs
(((file . path) ...)
(let ((value (map (cut string-append <> " " <>)
@@ -967,7 +970,7 @@ (define* (derivation store name builder args
(filter-map input->derivation-input inputs))
derivation-input<?))
(env-vars (sort (env-vars-with-empty-outputs
- (user+system-env-vars))
+ (user+system-env-vars inputs))
(lambda (e1 e2)
(string<? (car e1) (car e2)))))
(drv-masked (make-derivation outputs inputs sources
diff --git a/tests/derivations.scm b/tests/derivations.scm
index 72ea9aa9cc..c157128f39 100644
--- a/tests/derivations.scm
+++ b/tests/derivations.scm
@@ -1105,14 +1105,16 @@ (define %coreutils
(let-values (((build download)
(derivation-build-plan store
(list (derivation-input drv2)))))
- ;; Although DRV2 is available as a substitute, we must build its
- ;; dependency, DRV1, due to #:substitutable? #f.
- (and (match download
- (((= substitutable-path item))
- (string=? item (derivation->output-path drv2))))
+ ;; DRV2 is *not* available as a substitute, since it has drv1 as
+ ;; input, and the non-substitutability is viral to avoid
+ ;; distributing non-substitutable items that could have become
+ ;; embedded, for example in an initrd.
+ (and (null? download)
(match build
- (((= derivation-file-name build))
- (string=? build (derivation-file-name drv1))))))))))
+ (((= derivation-file-name build1)
+ (= derivation-file-name build2))
+ (string=? build1 (derivation-file-name drv1))
+ (string=? build2 (derivation-file-name drv2))))))))))
(test-assert "derivation-build-plan and substitutes, local build"
(with-store store
--
2.48.1
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.