GNU bug report logs - #67707
Fresh installation leaks details about ISO build environment

Previous Next

Full log

Message #25 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Rutherther <rutherther <at> ditigal.xyz>
To: Ludovic Courtès <ludovic.courtes <at> inria.fr>, Rutherther
 via Bug reports for GNU Guix <bug-guix <at> gnu.org>
Cc: 67707 <at> debbugs.gnu.org
Subject: Re: bug#67707: Fresh installation leaks details about ISO build
 environment
Date: Mon, 05 May 2025 18:48:04 +0200

Hi Ludo',

Ludovic Courtès <ludovic.courtes <at> inria.fr> writes:

> Hi,
>
> Rutherther via Bug reports for GNU Guix <bug-guix <at> gnu.org> writes:
>
>> What I had in mind in the first place was replacing it just in the
>> install.scm, I didn't even think about changing it here.
>
> Oh right, it’s probably best to change it there.  Something like this?

Yes, that is exactly what I had in mind. Btw I am wondering, is there a
policy on (not) updating the released iso?

>
> diff --git a/gnu/system/install.scm b/gnu/system/install.scm
> index 15ea401f1c..50320a6698 100644
> --- a/gnu/system/install.scm
> +++ b/gnu/system/install.scm
> @@ -35,6 +35,11 @@ (define-module (gnu system install)
>    #:use-module ((guix packages) #:select (package-version supported-package?))
>    #:use-module (guix platform)
>    #:use-module (guix utils)
> +  #:use-module (guix packages)
> +  #:use-module ((guix channels)
> +                #:select (%default-guix-channel
> +                          channel
> +                          channel-commit))
>    #:use-module (gnu installer)
>    #:use-module (gnu system locale)
>    #:use-module (gnu services avahi)
> @@ -392,7 +397,13 @@ (define* (%installation-services #:key (system (or (and=>
>  
>                       ;; Install and run the current Guix rather than an older
>                       ;; snapshot.
> -                     (guix (current-guix))))
> +                     (guix (let ((guix (current-guix)))
> +                             (package
> +                               (inherit guix)
> +                               (source (channel
> +                                        (inherit %default-guix-channel)
> +                                        (commit (channel-commit
> +                                                 (package-source guix))))))))))
>  
>             ;; Start udev so that useful device nodes are available.
>             ;; Use device-mapper rules for cryptsetup & co; enable the CRDA for
>
>
>> Related to this issue, I am playing with an idea to introduce a new
>> option to guix system reconfigure that would skip the forward update
>> check. While it makes sense, especially lately it shows how problematic
>> it can get. […]
>
> I’m not sure I follow: even if one uses a mirror of Savannah, downgrade
> prevention works fine.  Or are you referring to some other motivation?

I agree that the prevention works fine even with a mirror. What I wanted
to say is that sometimes it can't work. Like if a repository hosting is
down or you don't have internet connection. That is, if the checkout
(usually the one of root) doesn't contain the commit. Lately, it shows
because savannah is down very often. So one pulls successfully, but then
can't reconfigure, because savannah is down again. This is because root
has a separate checkout. Even if it didn't, if the checkouts are
removed, the user can't reconfigure if repo hosting is down.
This just feels like an unnecessary limitation - why not allow the user
to say: yes, this is a forward update, don't check,
ie. --disable-forward-update-check.

Workaround for savannah being down is to use a mirror. Thankfully the
check uses the currently configured source of the repository, so just
pulling out of the mirror, and then reconfiguring works.

Thanks
Rutherther

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.