Package: guix;
Reported by: Rafa Gálvez <rafa <at> esat.kuleuven.be>
Date: Wed, 26 Feb 2025 09:41:01 UTC
Severity: important
Merged with 76584
View this message in rfc822 format
From: Simon Tournier <zimon.toutoune <at> gmail.com> To: Rafa Gálvez <rafa <at> esat.kuleuven.be> Cc: 76577 <at> debbugs.gnu.org, 76584 <at> debbugs.gnu.org Subject: bug#76577: bug#76584: Bug REPORT Date: Thu, 15 May 2025 17:07:10 +0200
Hi,
On Wed, 14 May 2025 at 10:16, Rafa Gálvez <rafa <at> esat.kuleuven.be> wrote:
> file:
> /gnu/store/pli47dzavnx1jrk0lg8hx7n5pbsmyjfl-guix-1.4.0-33.3355de6-checkout.drv:
--8<---------------cut here---------------start------------->8---
Derive
([("out","/gnu/store/fx09rrqlfgszl50l5hjw6xqplwkwww3s-guix-1.4.0-33.3355de6-checkout","r:sha256","62aec8a2c8ffe8d3c43868c1efb51f5d63ef0b4cc1334fedc431296d80059444")]
,[("/gnu/store/208jziqg0mhmxaz72ml2hxj5r2y87dxk-guile-json-4.7.3.drv",["out"])
,("/gnu/store/2pp0zs88xbkswx28amb89c0xn262qv9g-git-minimal-2.48.1.drv",["out"])
,("/gnu/store/523ngwgnmyhszf9mqbk537ka41jbzs00-guile-3.0.9.drv",["out"])
,("/gnu/store/5iva1m7wznlq1g233gq1mswdpqi072mr-guile-lzlib-0.3.0.drv",["out"])
,("/gnu/store/armyr6rrwh5ixl8rg68j8p8rd0jpmlyd-module-import-compiled.drv",["out"])
,("/gnu/store/d39z0cm0r492d0wq3n1bxbpzcrd3fl5w-tar-1.34.drv",["out"])
,("/gnu/store/i9c1qi3cdwnx0q74m2572ry7g1p8gxnm-guile-gnutls-4.0.0.drv",["debug","out"])
,("/gnu/store/x3k6cxp0a3mc9jps5njvcmkq4wd38675-gzip-1.13.drv",["out"])]
,["/gnu/store/94ngpqqpsyq2sgpm4g0sfsk3rxz29047-git-download","/gnu/store/hvms8wjpr06r53qmqm2zd69prphbsf6r-module-import"]
,"x86_64-linux","/gnu/store/xv4cd7qz4yan93zkjisbmbpxfz78hah2-guile-3.0.9/bin/guile",["--no-auto-compile","-L","/gnu/store/hvms8wjpr06r53qmqm2zd69prphbsf6r-module-import","-L","/gnu/store/711y2zrpg0ygxaghy72v8hzwla7mjaqg-guile-json-4.7.3/share/guile/site/3.0","-L","/gnu/store/vvbyxci8vyp4qsjnczmnnslh5hm6xzq2-guile-gnutls-4.0.0/share/guile/site/3.0","-L","/gnu/store/02i9pa0yj18riq7g90bzx0jaxmlxnax4-guile-lzlib-0.3.0/share/guile/site/3.0","-C","/gnu/store/5cvb4yyvfn02w1grnh4ij2hl4br5b5n2-module-import-compiled","-C","/gnu/store/711y2zrpg0ygxaghy72v8hzwla7mjaqg-guile-json-4.7.3/lib/guile/3.0/site-ccache","-C","/gnu/store/vvbyxci8vyp4qsjnczmnnslh5hm6xzq2-guile-gnutls-4.0.0/lib/guile/3.0/site-ccache","-C","/gnu/store/02i9pa0yj18riq7g90bzx0jaxmlxnax4-guile-lzlib-0.3.0/lib/guile/3.0/site-ccache","/gnu/store/94ngpqqpsyq2sgpm4g0sfsk3rxz29047-git-download"]
,[("git commit","3355de608cb2267435c2592fc7dc76a1dcc5c02d")
,("git lfs?","#f")
,("git recursive?","#f")
,("git url","https://git.savannah.gnu.org/git/guix.git")
,("hash","98,174,200,162,200,255,232,211,196,56,104,193,239,181,31,93,99,239,11,76,193,51,79,237,196,49,41,109,128,5,148,68")
,("impureEnvVars","http_proxy https_proxy LC_ALL LC_MESSAGES LANG COLUMNS")
,("out","/gnu/store/fx09rrqlfgszl50l5hjw6xqplwkwww3s-guix-1.4.0-33.3355de6-checkout")
,("preferLocalBuild","1")])
--8<---------------cut here---------------end--------------->8---
Aside, this means your guix-daemon is old. You should run as root “guix pull”
and then restart guix-daemon. Security vulnerabilities are rare but
might happen [1].
Because you use the old strategy for fetching, it leads to an unexpected
error. If you open the file
/gnu/store/94ngpqqpsyq2sgpm4g0sfsk3rxz29047-git-download
then you will read the Guile code that checks out. The effective code
’git-fetch’ is from the module (guix build git). Roughly, if I mix the
log and the commands, it reads:
> file:
> /var/log/guix/drvs/pl/i47dzavnx1jrk0lg8hx7n5pbsmyjfl-guix-1.4.0-33.3355de6-checkout.drv.bz2
git init --initial-branch=main
git remote add origin
> Initialized empty Git repository in /gnu/store/fx09rrqlfgszl50l5hjw6xqplwkwww3s-guix-1.4.0-33.3355de6-checkout/.git/
git fetch --depth 1 origin 3355de608cb2267435c2592fc7dc76a1dcc5c02d
> error: Server does not allow request for unadvertised object 3355de608cb2267435c2592fc7dc76a1dcc5c02d
> Failed to do a shallow fetch; retrying a full fetch...
git fetch origin
> error: RPC failed; curl 56 GnuTLS recv error (-9): Error decoding the received TLS packet.
> fetch-pack: unexpected disconnect while reading sideband packet
> fatal: early EOF
> fatal: fetch-pack: invalid index-pack output
> git-fetch: 'git fetch origin' failed with exit code 128
Now, it starts the procedure ’download-nar’ from the Guile module (guix
build download-nar). It loops over various URLs and each time fails.
> Trying content-addressed mirror at bordeaux.guix.gnu.org...
> Unable to fetch from bordeaux.guix.gnu.org, misc-error: (#f download failed ~S ~S ~S (http://bordeaux.guix.gnu.org/nar/lzip/fx09rrqlfgszl50l5hjw6xqplwkwww3s-guix-1.4.0-33.3355de6-checkout 404 Not Found) #f)
> Trying content-addressed mirror at ci.guix.gnu.org...
> Unable to fetch from ci.guix.gnu.org, misc-error: (#f download failed ~S ~S ~S (http://ci.guix.gnu.org/nar/lzip/fx09rrqlfgszl50l5hjw6xqplwkwww3s-guix-1.4.0-33.3355de6-checkout 404 Not Found) #f)
> Trying content-addressed mirror at bordeaux.guix.gnu.org...
> Unable to fetch from bordeaux.guix.gnu.org, misc-error: (#f download failed ~S ~S ~S (http://bordeaux.guix.gnu.org/nar/fx09rrqlfgszl50l5hjw6xqplwkwww3s-guix-1.4.0-33.3355de6-checkout 404 Not Found) #f)
> Trying content-addressed mirror at ci.guix.gnu.org...
> Unable to fetch from ci.guix.gnu.org, misc-error: (#f download failed ~S ~S ~S (http://ci.guix.gnu.org/nar/fx09rrqlfgszl50l5hjw6xqplwkwww3s-guix-1.4.0-33.3355de6-checkout 404 Not Found) #f)
Here, that’s very weird that the both locations are 404
Last, it falls back to Software Heritage.
> Trying to download from Software Heritage...
> SWH: directory with nar-sha256 hash 62aec8a2c8ffe8d3c43868c1efb51f5d63ef0b4cc1334fedc431296d80059444 not found
> SWH: revision "3355de608cb2267435c2592fc7dc76a1dcc5c02d" originating from https://git.savannah.gnu.org/git/guix.git could not be found
That’s very weird because this revision is archived in Software
Heritage, see:
https://archive.softwareheritage.org/swh:1:rev:3355de608cb2267435c2592fc7dc76a1dcc5c02d
Well, all in all, I think the issue is on your side. And it seems an
issue with your network. Could you check? For example, run:
guix build /gnu/store/pli47dzavnx1jrk0lg8hx7n5pbsmyjfl-guix-1.4.0-33.3355de6-checkout.drv
Cheers,
simon
1: https://guix.gnu.org/blog/2024/build-user-takeover-vulnerability/
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.