bug#41602: texlive-texmf is actually subtitutable

[Bengt Richter <bokr@bokr.com>]

On +2020-05-29 17:15:40 +0200, Ludovic Courtès wrote:
> Strangely, ‘texlive-texmf’ (the big one) is substitutable:
> 
> --8<---------------cut here---------------start------------->8---
> $ guix describe
> Generacio 145   May 25 2020 00:37:58    (nuna)
>   guix 9744cc7
>     repository URL: https://git.savannah.gnu.org/git/guix.git
>     branch: master
>     commit: 9744cc7b4636fafb772c94adb8f05961b5b39f16
> $ guix environment --ad-hoc texlive -- texdoc biblatex
> 2.6 MB will be downloaded:
>    /gnu/store/7ji4l3szj68b0r5w10bvvdx1vy6nhz5p-subversion-1.10.6
> downloading from https://ci.guix.gnu.org/nar/lzip/7ji4l3szj68b0r5w10bvvdx1vy6nhz5p-subversion-1.10.6 ...
>  subversion-1.10.6  2.5MiB                                                                                                                                7.2MiB/s 00:00 [##################] 100.0%
> 
> La jena derivo estos konstruata:
>    /gnu/store/55yx02hr0dz47px1aj0j14xll3bsrmml-texlive-texmf-20190410.drv
> 2,845.8 MB will be downloaded:
>    /gnu/store/nm6w84c9zj3yiylal3dk1sqzxq11sjzw-texlive-20190410-texmf.tar.xz
>    /gnu/store/xpkl70g3bls935h1zdlq7sn2j6rccp3k-texlive-20190410
> downloading from https://ci.guix.gnu.org/nar/lzip/z4xvgiliw5baf1pr4z03c7n2hw3bm5x5-texlive-texmf-20190410 ...
>  texlive-texmf-20190410  2.61GiB
> --8<---------------cut here---------------end--------------->8---
> 
> The info suggests it won’t be substituted, but it’s eventually
> substituted.  I wonder why, because the .drv has:
> 
>   ("allowSubstitutes","0")
> 
> and the daemon has:
> 
>   bool substitutesAllowed(const Derivation & drv)
>   {
>       return get(drv.env, "allowSubstitutes", "1") == "1";
>   }
> 
> and:
> 
>   if (settings.useSubstitutes && substitutesAllowed(drv))
>       foreach (PathSet::iterator, i, invalidOutputs)
>           addWaitee(worker.makeSubstitutionGoal(*i, buildMode == bmRepair));
> 
> Thoughts?

This is the kind of "wonder why" that makes me wonder about trojan horse bug fixes
as described in [1], which is a really interesting and scary read, especially since [1]
could very conceivably be an example of what it itself is talking about (though they
don't sound malicious, so I can hope trusting okular to display it was not giving
them a pdf or image parser to exploit with malice).

Anyway, please note that the "pdf" file starts with these lines:

--8<---------------cut here---------------start------------->8---
# I'm a shell script :-) so please make me executable!
# No shebang but I work equally well with Bash, Dash and Zsh
# The script embeds link-grammar, a x86-64 ELF so it requires to be run on a x86-64 linux system
--8<---------------cut here---------------end--------------->8---

What looks like the beginning of a normal pdf file starts at line 30 counting from 1 as first line.
okular will display the original as if it were pdf (bug??) though "file" just sees it as "data."

Trim off the first 29 lines and file sees it as pdf, and pdfinfo will find its way too.

Idk, you might want at least to cut out the first 29 lines before looking at it with e.g. okular,
(which I trustingly used to open the file): note that okular got past the 29-line script part, (which
is a bit promiscuous for my taste), and displayed the pdf.

It was really interesting, esp the sections around

--8<---------------cut here---------------start------------->8---
3
Deniable Backdoors Using Compiler Bugs
by Scott Bauer, Pascal Cuoq, and John Regehr
--8<---------------cut here---------------end--------------->8---

Maybe you can view it in a sandbox :) But don't blame me if you don't.
YOU WERE WARNED.

So read it -- and wonder what might come with a mysterious substitute ;-P

[1]  https://www.alchemistowl.org/pocorgtfo/pocorgtfo08.pdf

> 
> Ludo’.
> 
> 
> 

-- 
Regards,
Bengt Richter