From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id cNEQDfHb0V5JVQAA0tVLHw (envelope-from ) for ; Sat, 30 May 2020 04:07:13 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id MH4HCfHb0V7MFgAA1q6Kng (envelope-from ) for ; Sat, 30 May 2020 04:07:13 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 258D8940997 for ; Sat, 30 May 2020 04:07:12 +0000 (UTC) Received: from localhost ([::1]:53478 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jesm5-0004ux-Pf for larch@yhetil.org; Sat, 30 May 2020 00:07:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42414) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jesly-0004ul-U9 for bug-guix@gnu.org; Sat, 30 May 2020 00:07:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:45105) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jesly-00066K-Kn for bug-guix@gnu.org; Sat, 30 May 2020 00:07:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jesly-0002W1-Ei for bug-guix@gnu.org; Sat, 30 May 2020 00:07:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#41602: texlive-texmf is actually subtitutable Resent-From: Bengt Richter Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 30 May 2020 04:07:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41602 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 41602-submit@debbugs.gnu.org id=B41602.15908116029643 (code B ref 41602); Sat, 30 May 2020 04:07:02 +0000 Received: (at 41602) by debbugs.gnu.org; 30 May 2020 04:06:42 +0000 Received: from localhost ([127.0.0.1]:56651 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jeslP-0002VD-6P for submit@debbugs.gnu.org; Sat, 30 May 2020 00:06:42 -0400 Received: from imta-38.everyone.net ([216.200.145.38]:60956) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jeslM-0002V4-Ir for 41602@debbugs.gnu.org; Sat, 30 May 2020 00:06:26 -0400 Received: from pps.filterd (omta003.sj2.proofpoint.com [127.0.0.1]) by imta-38.everyone.net (8.16.0.27/8.16.0.27) with SMTP id 04U44LUf001178; Fri, 29 May 2020 21:06:23 -0700 X-Eon-Originating-Account: VtI5PiSs5k0cd_MIa5iSNGI8ceBqumf43-aL5lvSE1A X-Eon-Dm: m0116787.ppops.net Received: by m0116787.mta.everyone.net (EON-AUTHRELAY2 - 5a81dd03) id m0116787.5e67f91f.98305b; Fri, 29 May 2020 21:06:19 -0700 X-Eon-Sig: AQMHrIJe0du70zh1ZQIAAAAC,2cdab7681c30a631fcf1bee9dbae7fb7 X-Eip: 0nCpOmcZ3QDj3kvsg756sFiIEEz2yjJVl2yzLr0Qmtc Date: Sat, 30 May 2020 06:06:09 +0200 From: Bengt Richter Message-ID: <20200530040609.GA2810@LionPure> References: <878sha3h7n.fsf@inria.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <878sha3h7n.fsf@inria.fr> User-Agent: Mutt/1.10.1 (2018-07-13) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.687 definitions=2020-05-30_01:2020-05-28, 2020-05-30 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1034 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2004280000 definitions=main-2005300030 X-Spam-Score: -0.4 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -0.7 (/) X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Bengt Richter Cc: 41602@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Spam-Score: -0.51 X-TUID: Hy01mXlqmWsu On +2020-05-29 17:15:40 +0200, Ludovic Courtès wrote: > Strangely, ‘texlive-texmf’ (the big one) is substitutable: > > --8<---------------cut here---------------start------------->8--- > $ guix describe > Generacio 145 May 25 2020 00:37:58 (nuna) > guix 9744cc7 > repository URL: https://git.savannah.gnu.org/git/guix.git > branch: master > commit: 9744cc7b4636fafb772c94adb8f05961b5b39f16 > $ guix environment --ad-hoc texlive -- texdoc biblatex > 2.6 MB will be downloaded: > /gnu/store/7ji4l3szj68b0r5w10bvvdx1vy6nhz5p-subversion-1.10.6 > downloading from https://ci.guix.gnu.org/nar/lzip/7ji4l3szj68b0r5w10bvvdx1vy6nhz5p-subversion-1.10.6 ... > subversion-1.10.6 2.5MiB 7.2MiB/s 00:00 [##################] 100.0% > > La jena derivo estos konstruata: > /gnu/store/55yx02hr0dz47px1aj0j14xll3bsrmml-texlive-texmf-20190410.drv > 2,845.8 MB will be downloaded: > /gnu/store/nm6w84c9zj3yiylal3dk1sqzxq11sjzw-texlive-20190410-texmf.tar.xz > /gnu/store/xpkl70g3bls935h1zdlq7sn2j6rccp3k-texlive-20190410 > downloading from https://ci.guix.gnu.org/nar/lzip/z4xvgiliw5baf1pr4z03c7n2hw3bm5x5-texlive-texmf-20190410 ... > texlive-texmf-20190410 2.61GiB > --8<---------------cut here---------------end--------------->8--- > > The info suggests it won’t be substituted, but it’s eventually > substituted. I wonder why, because the .drv has: > > ("allowSubstitutes","0") > > and the daemon has: > > bool substitutesAllowed(const Derivation & drv) > { > return get(drv.env, "allowSubstitutes", "1") == "1"; > } > > and: > > if (settings.useSubstitutes && substitutesAllowed(drv)) > foreach (PathSet::iterator, i, invalidOutputs) > addWaitee(worker.makeSubstitutionGoal(*i, buildMode == bmRepair)); > > Thoughts? This is the kind of "wonder why" that makes me wonder about trojan horse bug fixes as described in [1], which is a really interesting and scary read, especially since [1] could very conceivably be an example of what it itself is talking about (though they don't sound malicious, so I can hope trusting okular to display it was not giving them a pdf or image parser to exploit with malice). Anyway, please note that the "pdf" file starts with these lines: --8<---------------cut here---------------start------------->8--- # I'm a shell script :-) so please make me executable! # No shebang but I work equally well with Bash, Dash and Zsh # The script embeds link-grammar, a x86-64 ELF so it requires to be run on a x86-64 linux system --8<---------------cut here---------------end--------------->8--- What looks like the beginning of a normal pdf file starts at line 30 counting from 1 as first line. okular will display the original as if it were pdf (bug??) though "file" just sees it as "data." Trim off the first 29 lines and file sees it as pdf, and pdfinfo will find its way too. Idk, you might want at least to cut out the first 29 lines before looking at it with e.g. okular, (which I trustingly used to open the file): note that okular got past the 29-line script part, (which is a bit promiscuous for my taste), and displayed the pdf. It was really interesting, esp the sections around --8<---------------cut here---------------start------------->8--- 3 Deniable Backdoors Using Compiler Bugs by Scott Bauer, Pascal Cuoq, and John Regehr --8<---------------cut here---------------end--------------->8--- Maybe you can view it in a sandbox :) But don't blame me if you don't. YOU WERE WARNED. So read it -- and wonder what might come with a mysterious substitute ;-P [1] https://www.alchemistowl.org/pocorgtfo/pocorgtfo08.pdf > > Ludo’. > > > -- Regards, Bengt Richter