GNU bug report logs

#41602 texlive is actually substitutable

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Reported by Ludovic Courtès <ludo@gnu.org>
Date 2020-05-29T15:17:01
Severity important

Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to bug-guix@gnu.org:
bug#41602; Package guix. (Fri, 29 May 2020 15:17:01 GMT) (full text, mbox, link).

Acknowledgement sent to Ludovic Courtès <ludo@gnu.org>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org. (Fri, 29 May 2020 15:17:02 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Strangely, ‘texlive-texmf’ (the big one) is substitutable:

--8<---------------cut here---------------start------------->8---
$ guix describe
Generacio 145   May 25 2020 00:37:58    (nuna)
  guix 9744cc7
    repository URL: https://git.savannah.gnu.org/git/guix.git
    branch: master
    commit: 9744cc7b4636fafb772c94adb8f05961b5b39f16
$ guix environment --ad-hoc texlive -- texdoc biblatex
2.6 MB will be downloaded:
   /gnu/store/7ji4l3szj68b0r5w10bvvdx1vy6nhz5p-subversion-1.10.6
downloading from https://ci.guix.gnu.org/nar/lzip/7ji4l3szj68b0r5w10bvvdx1vy6nhz5p-subversion-1.10.6 ...
 subversion-1.10.6  2.5MiB                                                                                                                                7.2MiB/s 00:00 [##################] 100.0%

La jena derivo estos konstruata:
   /gnu/store/55yx02hr0dz47px1aj0j14xll3bsrmml-texlive-texmf-20190410.drv
2,845.8 MB will be downloaded:
   /gnu/store/nm6w84c9zj3yiylal3dk1sqzxq11sjzw-texlive-20190410-texmf.tar.xz
   /gnu/store/xpkl70g3bls935h1zdlq7sn2j6rccp3k-texlive-20190410
downloading from https://ci.guix.gnu.org/nar/lzip/z4xvgiliw5baf1pr4z03c7n2hw3bm5x5-texlive-texmf-20190410 ...
 texlive-texmf-20190410  2.61GiB
--8<---------------cut here---------------end--------------->8---

The info suggests it won’t be substituted, but it’s eventually
substituted.  I wonder why, because the .drv has:

  ("allowSubstitutes","0")

and the daemon has:

  bool substitutesAllowed(const Derivation & drv)
  {
      return get(drv.env, "allowSubstitutes", "1") == "1";
  }

and:

  if (settings.useSubstitutes && substitutesAllowed(drv))
      foreach (PathSet::iterator, i, invalidOutputs)
          addWaitee(worker.makeSubstitutionGoal(*i, buildMode == bmRepair));

Thoughts?

Ludo’.

Information forwarded to bug-guix@gnu.org:
bug#41602; Package guix. (Fri, 29 May 2020 18:05:02 GMT) (full text, mbox, link).

Message #8 received at 41602@debbugs.gnu.org (full text, mbox, reply):

On Fri, May 29, 2020 at 05:15:40PM +0200, Ludovic Courtès wrote:
> The info suggests it won’t be substituted, but it’s eventually
> substituted.  I wonder why, because the .drv has:
> 
>   ("allowSubstitutes","0")
> 
> and the daemon has:
> 
>   bool substitutesAllowed(const Derivation & drv)
>   {
>       return get(drv.env, "allowSubstitutes", "1") == "1";
>   }
> 
> and:
> 
>   if (settings.useSubstitutes && substitutesAllowed(drv))
>       foreach (PathSet::iterator, i, invalidOutputs)
>           addWaitee(worker.makeSubstitutionGoal(*i, buildMode == bmRepair));
> 
> Thoughts?

I wonder if the content-addressed fallbacks take a different code path
that doesn't respect "allowSubstitutes"?

Information forwarded to bug-guix@gnu.org:
bug#41602; Package guix. (Sat, 30 May 2020 04:07:02 GMT) (full text, mbox, link).

Message #11 received at 41602@debbugs.gnu.org (full text, mbox, reply):

On +2020-05-29 17:15:40 +0200, Ludovic Courtès wrote:
> Strangely, ‘texlive-texmf’ (the big one) is substitutable:
> 
> --8<---------------cut here---------------start------------->8---
> $ guix describe
> Generacio 145   May 25 2020 00:37:58    (nuna)
>   guix 9744cc7
>     repository URL: https://git.savannah.gnu.org/git/guix.git
>     branch: master
>     commit: 9744cc7b4636fafb772c94adb8f05961b5b39f16
> $ guix environment --ad-hoc texlive -- texdoc biblatex
> 2.6 MB will be downloaded:
>    /gnu/store/7ji4l3szj68b0r5w10bvvdx1vy6nhz5p-subversion-1.10.6
> downloading from https://ci.guix.gnu.org/nar/lzip/7ji4l3szj68b0r5w10bvvdx1vy6nhz5p-subversion-1.10.6 ...
>  subversion-1.10.6  2.5MiB                                                                                                                                7.2MiB/s 00:00 [##################] 100.0%
> 
> La jena derivo estos konstruata:
>    /gnu/store/55yx02hr0dz47px1aj0j14xll3bsrmml-texlive-texmf-20190410.drv
> 2,845.8 MB will be downloaded:
>    /gnu/store/nm6w84c9zj3yiylal3dk1sqzxq11sjzw-texlive-20190410-texmf.tar.xz
>    /gnu/store/xpkl70g3bls935h1zdlq7sn2j6rccp3k-texlive-20190410
> downloading from https://ci.guix.gnu.org/nar/lzip/z4xvgiliw5baf1pr4z03c7n2hw3bm5x5-texlive-texmf-20190410 ...
>  texlive-texmf-20190410  2.61GiB
> --8<---------------cut here---------------end--------------->8---
> 
> The info suggests it won’t be substituted, but it’s eventually
> substituted.  I wonder why, because the .drv has:
> 
>   ("allowSubstitutes","0")
> 
> and the daemon has:
> 
>   bool substitutesAllowed(const Derivation & drv)
>   {
>       return get(drv.env, "allowSubstitutes", "1") == "1";
>   }
> 
> and:
> 
>   if (settings.useSubstitutes && substitutesAllowed(drv))
>       foreach (PathSet::iterator, i, invalidOutputs)
>           addWaitee(worker.makeSubstitutionGoal(*i, buildMode == bmRepair));
> 
> Thoughts?

This is the kind of "wonder why" that makes me wonder about trojan horse bug fixes
as described in [1], which is a really interesting and scary read, especially since [1]
could very conceivably be an example of what it itself is talking about (though they
don't sound malicious, so I can hope trusting okular to display it was not giving
them a pdf or image parser to exploit with malice).

Anyway, please note that the "pdf" file starts with these lines:

--8<---------------cut here---------------start------------->8---
# I'm a shell script :-) so please make me executable!
# No shebang but I work equally well with Bash, Dash and Zsh
# The script embeds link-grammar, a x86-64 ELF so it requires to be run on a x86-64 linux system
--8<---------------cut here---------------end--------------->8---

What looks like the beginning of a normal pdf file starts at line 30 counting from 1 as first line.
okular will display the original as if it were pdf (bug??) though "file" just sees it as "data."

Trim off the first 29 lines and file sees it as pdf, and pdfinfo will find its way too.

Idk, you might want at least to cut out the first 29 lines before looking at it with e.g. okular,
(which I trustingly used to open the file): note that okular got past the 29-line script part, (which
is a bit promiscuous for my taste), and displayed the pdf.

It was really interesting, esp the sections around

--8<---------------cut here---------------start------------->8---
3
Deniable Backdoors Using Compiler Bugs
by Scott Bauer, Pascal Cuoq, and John Regehr
--8<---------------cut here---------------end--------------->8---

Maybe you can view it in a sandbox :) But don't blame me if you don't.
YOU WERE WARNED.

So read it -- and wonder what might come with a mysterious substitute ;-P

[1]  https://www.alchemistowl.org/pocorgtfo/pocorgtfo08.pdf

> 
> Ludo’.
> 
> 
> 

-- 
Regards,
Bengt Richter

Information forwarded to bug-guix@gnu.org:
bug#41602; Package guix. (Sat, 30 May 2020 14:09:02 GMT) (full text, mbox, link).

Message #14 received at 41602@debbugs.gnu.org (full text, mbox, reply):

Hi,

Leo Famulari <leo@famulari.name> skribis:

> On Fri, May 29, 2020 at 05:15:40PM +0200, Ludovic Courtès wrote:
>> The info suggests it won’t be substituted, but it’s eventually
>> substituted.  I wonder why, because the .drv has:
>> 
>>   ("allowSubstitutes","0")
>> 
>> and the daemon has:
>> 
>>   bool substitutesAllowed(const Derivation & drv)
>>   {
>>       return get(drv.env, "allowSubstitutes", "1") == "1";
>>   }
>> 
>> and:
>> 
>>   if (settings.useSubstitutes && substitutesAllowed(drv))
>>       foreach (PathSet::iterator, i, invalidOutputs)
>>           addWaitee(worker.makeSubstitutionGoal(*i, buildMode == bmRepair));
>> 
>> Thoughts?
>
> I wonder if the content-addressed fallbacks take a different code path
> that doesn't respect "allowSubstitutes"?

It does, but this texlive-texmf.drv is not a fixed-output derivation.

Ludo’.

Severity set to 'important' from 'normal' Request was from Leo Famulari <leo@famulari.name> to control@debbugs.gnu.org. (Sat, 30 May 2020 17:11:04 GMT) (full text, mbox, link).

Changed bug title to 'texlive is actually substitutable' from 'texlive-texmf is actually subtitutable' Request was from Maxim Cournoyer <maxim.cournoyer@gmail.com> to control@debbugs.gnu.org. (Wed, 03 Apr 2024 02:09:02 GMT) (full text, mbox, link).

Information forwarded to bug-guix@gnu.org:
bug#41602; Package guix. (Wed, 03 Apr 2024 02:10:01 GMT) (full text, mbox, link).

Message #21 received at 41602@debbugs.gnu.org (full text, mbox, reply):

Hello,

Ludovic Courtès <ludo@gnu.org> writes:

> Hi,
>
> Leo Famulari <leo@famulari.name> skribis:
>
>> On Fri, May 29, 2020 at 05:15:40PM +0200, Ludovic Courtès wrote:
>>> The info suggests it won’t be substituted, but it’s eventually
>>> substituted.  I wonder why, because the .drv has:
>>> 
>>>   ("allowSubstitutes","0")
>>> 
>>> and the daemon has:
>>> 
>>>   bool substitutesAllowed(const Derivation & drv)
>>>   {
>>>       return get(drv.env, "allowSubstitutes", "1") == "1";
>>>   }
>>> 
>>> and:
>>> 
>>>   if (settings.useSubstitutes && substitutesAllowed(drv))
>>>       foreach (PathSet::iterator, i, invalidOutputs)
>>>           addWaitee(worker.makeSubstitutionGoal(*i, buildMode == bmRepair));
>>> 
>>> Thoughts?
>>
>> I wonder if the content-addressed fallbacks take a different code path
>> that doesn't respect "allowSubstitutes"?
>
> It does, but this texlive-texmf.drv is not a fixed-output derivation.

I just verified; this still happens:

--8<---------------cut here---------------start------------->8---
$ guix build texlive -n
substitute: mise à jour des substituts depuis « https://ci.guix.gnu.org »... 100.0 %
La dérivation suivante serait compilée :
  /gnu/store/ym96pipknrh6khzc3ws8ychiy6224y61-texlivetexmf-20230313.drv
3 880,6 Mo seraient téléchargés :
  /gnu/store/rzczwmmkvpkahy0mgpahav0yx37ci61b-texlive-20230313-texmf.tar.xz
  /gnu/store/bcc5071mvprhp4yj1jimlhyyi499d2ba-texlivebin-20230313
  /gnu/store/bd4mzanvv7q2plm2b6zld8cz3fy0x34a-texlive-20230313
maxim@hurd ~/src/guix [env]$ guix build /gnu/store/bd4mzanvv7q2plm2b6zld8cz3fy0x34a-texlive-20230313
substitute: mise à jour des substituts depuis « https://ci.guix.gnu.org »... 100.0 %
substitution de /gnu/store/bcc5071mvprhp4yj1jimlhyyi499d2ba-texlivebin-20230313...
téléchargement depuis https://ci.guix.gnu.org/nar/lzip/bcc5071mvprhp4yj1jimlhyyi499d2ba-texlivebin-20230313...
 texlivebin-20230313  13.5MiB                                   527KiB/s 00:26 ▕██████████████████▏ 100.0%

substitution de /gnu/store/4hr3i6p7g2miwhy9gn64mxp1haix36dq-texlivetexmf-20230313...
téléchargement depuis https://ci.guix.gnu.org/nar/lzip/4hr3i6p7g2miwhy9gn64mxp1haix36dq-texlivetexmf-20230313...
 texlivetexmf-20230313  3.63GiB                                 360KiB/s 00:17 ▕                  ▏   0.2%^C
--8<---------------cut here---------------end--------------->8---

-- 
Thanks,
Maxim

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Sep 8 03:50:54 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.