From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id eFrPEsL6gF/HUgAA0tVLHw (envelope-from ) for ; Sat, 10 Oct 2020 00:05:22 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 0NOEDsL6gF8wHQAAB5/wlQ (envelope-from ) for ; Sat, 10 Oct 2020 00:05:22 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A952A9401D0 for ; Sat, 10 Oct 2020 00:05:21 +0000 (UTC) Received: from localhost ([::1]:52120 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kR2Ny-0004Lm-En for larch@yhetil.org; Fri, 09 Oct 2020 20:05:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42006) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kR2Ni-0004LY-GE for bug-guix@gnu.org; Fri, 09 Oct 2020 20:05:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:53357) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kR2Ni-0000UC-6O for bug-guix@gnu.org; Fri, 09 Oct 2020 20:05:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kR2Ni-0007fN-1f for bug-guix@gnu.org; Fri, 09 Oct 2020 20:05:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#43893: make update-guix-package produced an incorrect hash Resent-From: Danny Milosavljevic Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 10 Oct 2020 00:05:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 43893 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Maxim Cournoyer Received: via spool by 43893-submit@debbugs.gnu.org id=B43893.160228825729413 (code B ref 43893); Sat, 10 Oct 2020 00:05:01 +0000 Received: (at 43893) by debbugs.gnu.org; 10 Oct 2020 00:04:17 +0000 Received: from localhost ([127.0.0.1]:36670 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kR2My-0007eL-NK for submit@debbugs.gnu.org; Fri, 09 Oct 2020 20:04:17 -0400 Received: from dd26836.kasserver.com ([85.13.145.193]:48150) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kR2Mv-0007eA-Uy for 43893@debbugs.gnu.org; Fri, 09 Oct 2020 20:04:15 -0400 Received: from localhost (80-110-126-103.cgn.dynamic.surfer.at [80.110.126.103]) by dd26836.kasserver.com (Postfix) with ESMTPSA id 1637A33624E6; Sat, 10 Oct 2020 02:04:12 +0200 (CEST) Date: Sat, 10 Oct 2020 02:04:10 +0200 From: Danny Milosavljevic Message-ID: <20201010020410.3a301654@scratchpost.org> In-Reply-To: <87eem7qcxc.fsf@gmail.com> References: <87eem7qcxc.fsf@gmail.com> X-Mailer: Claws Mail 3.17.5 (GTK+ 2.24.32; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/UAIpur.K=Qc86uNelppw49/"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.7 (-) X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 43893@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Spam-Score: -1.11 X-TUID: JYiBGf5Xh8FJ --Sig_/UAIpur.K=Qc86uNelppw49/ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable I'm guessing it has something to do with update-guix-package using git-pred= icate to add only git-known (but not necessarily committed) files to the store an= d then calculating the checksum of that--but the git-fetch for the guix package not necessarily doing the same. Then update-guix-package.scm does one worse and actively prevents guix from doing the checkout from git when building that "guix" package. That means = the person invoking update-guix-package.scm can't notice even when the sha256 h= ash is definitely wrong--because guix will have the source for package "guix" in the store already (a faked entry added by update-guix-package.scm) and thus won't fetch it again. Also, doesn't this entire approach have a problem? If you make a commit into the git repo of guix in order to update the package "guix" to commit A, at that point you can't know what commit hash commit A will have (since you haven't committed it yet) and yet you have to know the commit hash of commit A in order to write it into the package definition of package "guix". That cannot work. The only way it works, more or less by accident is that, (1) At first, update-guix-package.scm does NOT update the "guix" package inside, and calculates the hash of the working copy (hash A). (2) Then, it updates the "guix" package inside to refer to hash A and to a USER-SPECIFIED COMMIT HASH (the latter is determined by the user via git rev-parse HEAD). (3) Then, it commits that changed working copy as commit B. Commit B is essentially not referred-to by anyone--it's just to make it to the git repository so guix pull can pick it up. That works only as long as there will be no reference to a nested-nested "g= uix" package, by the eventual user. @Maxim: I think this entire thing has to assume that git rev-parse HEAD (which it did at the very beginning of make update-guix-package) actually refers to a commit that is available on the guix git repository on savannah. That means as soon as you change anything (no matter what) (and not actually commit that) before invoking make update-guix-package the commit it refers to in the "guix" package will be one which cannot be resolved by users. Worse, if you change anything but not commit it (even locally), then that surely counts as "part of the checkout" for make update-guix-package, so the hash will be calculated including those change--but the changes are not committed, so no one can build the resulting guix package (because of a hash mismatch). That can happen automatically very easily if "make" updates po files. An easy fix, also done by a lot of other such release tools, is to make make update-guix-package first check whether there are any uncommitted changes. If so, make it fail. There's guix build guix --with-git-url=3Dguix=3D. but even that won't work with (locally) uncommitted changes. Note: uncommitted and unpushed are different. It's totally fine to have UNPUSHED changes and then use ./pre-inst-env guix build guix --with-git-url=3Dguix=3D`pwd` in order to build it anyway. But it's not fine to do that with UNCOMMITTED changes--because the sha256 hash will include those, but the commit id won't. Long story short, we should make "make update-guix-package" check for uncommitted changes in the working copy, and fail if any such exist[1]. There are no downsides that I can see. Even building from local working copy still works then. Also, let's please document update-guix-package. [1] git diff-index --quiet HEAD || echo fail --Sig_/UAIpur.K=Qc86uNelppw49/ Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAl+A+noACgkQ5xo1VCww uqXeZgf+MqjmvegOlqH7NPQKPtzT5Yyc5EqplXtTY9pYnKKV5wZj1f2MHpTCLoTq vQI1aiIEMYkLhmE+AXgh1nM0QZ+ENE7n8Gh/QpdY52Wg4IJ88xJzT2ifQ8z9qURm VyxwhkGWb/XschF/GhQ6nX4pl2Tu7KR/fTDzS0ROtpcBhKTD7ckIKTAGUYWTRQ4S u9Ungnkm7rfA7I8oj2cPjiIdj6gRniGLrdAfIDhQglYBtHSUabte2fO3crploVOj y9FAxrG+ZXF3Er51+k95yJ28sz8gnsWKDCzs8GKxwyJYKOjllwq5oUkdJW+X9UpP j3RxVrqqPVYsbIoZfxj/jKUvYqRehg== =EbQx -----END PGP SIGNATURE----- --Sig_/UAIpur.K=Qc86uNelppw49/--