bug#28602: Unpack fails with no error message when using a .zip source

bug#28602: Unpack fails with no error message when using a .zip source

[nee]

Hello,

right now unpacking .zip sources only works when unzip is added as
native input. That's all right, but there is no error message, just:

starting phase `unpack'
phase `unpack' failed after 0.0 seconds

It should say something like:

starting phase `unpack'
Archive with .zip suffix failed to unpack. Please add unzip as
native-input to the package, e.g. (native-inputs `(("unzip" ,unzip)))
phase `unpack' failed after 0.0 seconds

I tested this in the cmake-build-system

bug#28602: Unpack fails with no error message when using a .zip source

[Adonay Felipe Nogueira]

Does the .zip file have a a single directory on the root?

If not, then we can call it a zipbomb/tarbomb. These bombs are bad
because they can replace things without notice, and can be very
difficult to track what was added. Last time I checked Guix expects only
a single directory in the root of the file --- this might have changed,
but I didn't test it since one year ago.

nee <nee@cock.li> writes:

> Hello,
>
> right now unpacking .zip sources only works when unzip is added as
> native input. That's all right, but there is no error message, just:
>
> starting phase `unpack'
> phase `unpack' failed after 0.0 seconds
>
> It should say something like:
>
> starting phase `unpack'
> Archive with .zip suffix failed to unpack. Please add unzip as
> native-input to the package, e.g. (native-inputs `(("unzip" ,unzip)))
> phase `unpack' failed after 0.0 seconds
>
> I tested this in the cmake-build-system

-- 
- https://libreplanet.org/wiki/User:Adfeno
- Palestrante e consultor sobre /software/ livre (não confundir com
  gratis).
- "WhatsApp"? Ele não é livre. Por favor, use o GNU Ring ou o Tox.
- Contato: https://libreplanet.org/wiki/User:Adfeno#vCard
- Arquivos comuns aceitos (apenas sem DRM): Corel Draw, Microsoft
  Office, MP3, MP4, WMA, WMV.
- Arquivos comuns aceitos e enviados: CSV, GNU Dia, GNU Emacs Org, GNU
  GIMP, Inkscape SVG, JPG, LibreOffice (padrão ODF), OGG, OPUS, PDF
  (apenas sem DRM), PNG, TXT, WEBM.

bug#28602: [PATCH] guix: gnu-build-system: warn about missing unzip input unzip

[nee]

[-- Attachment #1: Type: text/plain, Size: 179 bytes --]

Hello here is a patch to fix this bug. It changes the gnu-build-system,
so the hashes of almost all packages will also change. I guess
core-updates is the right branch for this.


[-- Attachment #2: 0001-guix-gnu-build-system-warn-about-missing-unzip-input.patch --]
[-- Type: text/x-patch, Size: 1736 bytes --]

From 089b9741a734f0682a671df6c0c36dfefcbd407c Mon Sep 17 00:00:00 2001
From: nee <nee.git@cock.li>
Date: Mon, 9 Oct 2017 22:49:12 +0200
Subject: [PATCH] guix: gnu-build-system: warn about missing unzip input during
 unpack.

---
 guix/build/gnu-build-system.scm | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/guix/build/gnu-build-system.scm b/guix/build/gnu-build-system.scm
index e37b75140..c16d15964 100644
--- a/guix/build/gnu-build-system.scm
+++ b/guix/build/gnu-build-system.scm
@@ -67,6 +67,21 @@ See https://reproducible-builds.org/specs/source-date-epoch/."
                     #f
                     dir))
 
+(define (unzip filepath)
+  "Unzip archive file.
+Warn the user when unzip fails and the executable is not present."
+  (define exit-code (system* "unzip" filepath))
+  (define program-not-found-code 32512)
+  (cond ((zero? exit-code) #t)
+        ((eqv? exit-code program-not-found-code)
+         (format (current-error-port)
+                 "warning: Archive with .zip suffix failed to unpack.
+Please add unzip as native-input to the package,
+e.g. (native-inputs `((\"unzip\" ,unzip)))")
+         (newline (current-error-port))
+         #f)
+        (else #f)))
+
 (define* (set-paths #:key target inputs native-inputs
                     (search-paths '()) (native-search-paths '())
                     #:allow-other-keys)
@@ -154,7 +169,7 @@ working directory."
                           #:keep-mtime? #t)
         #t)
       (and (if (string-suffix? ".zip" source)
-               (zero? (system* "unzip" source))
+               (unzip source)
                (zero? (system* "tar" "xvf" source)))
            (chdir (first-subdirectory ".")))))
 
-- 
2.14.1

bug#28602: Unpack fails with no error message when using a .zip source

[nee]

Am 04.10.2017 um 20:17 schrieb Adonay Felipe Nogueira:
> Does the .zip file have a a single directory on the root?
> 
> If not, then we can call it a zipbomb/tarbomb. These bombs are bad
> because they can replace things without notice, and can be very
> difficult to track what was added. Last time I checked Guix expects only
> a single directory in the root of the file --- this might have changed,
> but I didn't test it since one year ago.

Hello, this is a different problem. Tarbombs are still a problem, but
unrelated to this.

The gnu-build-system does not have unzip by default. If a package's
source comes in a zip the package must have unzip as native-input. If it
isn't the (system* "unzip" source) call in the unpack function will fail
because there is no unzip executable.

Happy hacking!

bug#28602: Unpack fails with no error message when using a .zip source

[zimoun]

Hi,

Thanks for the patch and sorry for the delay.

On Mon, 09 Oct 2017 at 23:00, nee <nee@cock.li> wrote:
> Hello here is a patch to fix this bug. It changes the gnu-build-system,
> so the hashes of almost all packages will also change. I guess
> core-updates is the right branch for this.
>
>>From 089b9741a734f0682a671df6c0c36dfefcbd407c Mon Sep 17 00:00:00 2001
> From: nee <nee.git@cock.li>
> Date: Mon, 9 Oct 2017 22:49:12 +0200
> Subject: [PATCH] guix: gnu-build-system: warn about missing unzip input during
>  unpack.
>
> ---
>  guix/build/gnu-build-system.scm | 17 ++++++++++++++++-
>  1 file changed, 16 insertions(+), 1 deletion(-)
>
> diff --git a/guix/build/gnu-build-system.scm b/guix/build/gnu-build-system.scm
> index e37b75140..c16d15964 100644
> --- a/guix/build/gnu-build-system.scm
> +++ b/guix/build/gnu-build-system.scm
> @@ -67,6 +67,21 @@ See https://reproducible-builds.org/specs/source-date-epoch/."
>                      #f
>                      dir))
>
> +(define (unzip filepath)
> +  "Unzip archive file.
> +Warn the user when unzip fails and the executable is not present."
> +  (define exit-code (system* "unzip" filepath))
> +  (define program-not-found-code 32512)
> +  (cond ((zero? exit-code) #t)
> +        ((eqv? exit-code program-not-found-code)
> +         (format (current-error-port)
> +                 "warning: Archive with .zip suffix failed to unpack.
> +Please add unzip as native-input to the package,
> +e.g. (native-inputs `((\"unzip\" ,unzip)))")
> +         (newline (current-error-port))
> +         #f)
> +        (else #f)))

Give a look at 'invoke' from (guix build utils).

>  (define* (set-paths #:key target inputs native-inputs
>                      (search-paths '()) (native-search-paths '())
>                      #:allow-other-keys)
> @@ -154,7 +169,7 @@ working directory."
>                            #:keep-mtime? #t)
>          #t)
>        (and (if (string-suffix? ".zip" source)
> -               (zero? (system* "unzip" source))
> +               (unzip source)
>                 (zero? (system* "tar" "xvf" source)))
>             (chdir (first-subdirectory ".")))))

After 9a87649c863e1ff8b073b356875eb05eecedbcf7, this part uses 'invoke'.
Instead of your 'unzip', the exception raised by 'invoke' should be
catched and then should trigger the hint message.  WDYT?

All the best,
simon

bug#28602: [core-updates] Unpack fails with no error message when using a .zip source

[zimoun]

Hi,

This patch [1] had been submitted in 2017 and fallen in the cracks.  The
code below requires improvement and I am not convinced by the feature.
Therefore closing?

<http://issues.guix.gnu.org/issue/28602


On Mon, 05 Jul 2021 at 13:46, zimoun <zimon.toutoune@gmail.com> wrote:
> On Mon, 09 Oct 2017 at 23:00, nee <nee@cock.li> wrote:

>> Hello here is a patch to fix this bug. It changes the gnu-build-system,
>> so the hashes of almost all packages will also change. I guess
>> core-updates is the right branch for this.
>>
>>>>From 089b9741a734f0682a671df6c0c36dfefcbd407c Mon Sep 17 00:00:00 2001
>> From: nee <nee.git@cock.li>
>> Date: Mon, 9 Oct 2017 22:49:12 +0200
>> Subject: [PATCH] guix: gnu-build-system: warn about missing unzip input during
>>  unpack.
>>
>> ---
>>  guix/build/gnu-build-system.scm | 17 ++++++++++++++++-
>>  1 file changed, 16 insertions(+), 1 deletion(-)
>>
>> diff --git a/guix/build/gnu-build-system.scm b/guix/build/gnu-build-system.scm
>> index e37b75140..c16d15964 100644
>> --- a/guix/build/gnu-build-system.scm
>> +++ b/guix/build/gnu-build-system.scm
>> @@ -67,6 +67,21 @@ See https://reproducible-builds.org/specs/source-date-epoch/."
>>                      #f
>>                      dir))
>>
>> +(define (unzip filepath)
>> +  "Unzip archive file.
>> +Warn the user when unzip fails and the executable is not present."
>> +  (define exit-code (system* "unzip" filepath))
>> +  (define program-not-found-code 32512)
>> +  (cond ((zero? exit-code) #t)
>> +        ((eqv? exit-code program-not-found-code)
>> +         (format (current-error-port)
>> +                 "warning: Archive with .zip suffix failed to unpack.
>> +Please add unzip as native-input to the package,
>> +e.g. (native-inputs `((\"unzip\" ,unzip)))")
>> +         (newline (current-error-port))
>> +         #f)
>> +        (else #f)))
>
> Give a look at 'invoke' from (guix build utils).
>
>>  (define* (set-paths #:key target inputs native-inputs
>>                      (search-paths '()) (native-search-paths '())
>>                      #:allow-other-keys)
>> @@ -154,7 +169,7 @@ working directory."
>>                            #:keep-mtime? #t)
>>          #t)
>>        (and (if (string-suffix? ".zip" source)
>> -               (zero? (system* "unzip" source))
>> +               (unzip source)
>>                 (zero? (system* "tar" "xvf" source)))
>>             (chdir (first-subdirectory ".")))))
>
> After 9a87649c863e1ff8b073b356875eb05eecedbcf7, this part uses 'invoke'.
> Instead of your 'unzip', the exception raised by 'invoke' should be
> catched and then should trigger the hint message.  WDYT?

Cheers,
simon

bug#28602: Unpack fails with no error message when using a .zip source

[zimoun]

Hi,

On Fri, 26 Nov 2021 at 02:49, zimoun <zimon.toutoune@gmail.com> wrote:

> This patch [1] had been submitted in 2017 and fallen in the cracks.  The
> code below requires improvement and I am not convinced by the feature.
> Therefore closing?
>
> <http://issues.guix.gnu.org/issue/28602

If no answer before the next release [1], I will close it.


1: <https://lists.gnu.org/archive/html/guix-devel/2022-01/msg00055.html>

Cheers,
simon

bug#28602: Unpack fails with no error message when using a .zip source

[zimoun]

Hi,

On Tue, 04 Jan 2022 at 23:55, zimoun <zimon.toutoune@gmail.com> wrote:
> On Fri, 26 Nov 2021 at 02:49, zimoun <zimon.toutoune@gmail.com> wrote:
>
>> This patch [1] had been submitted in 2017 and fallen in the cracks.  The
>> code below requires improvement and I am not convinced by the feature.
>> Therefore closing?
>>
>> <http://issues.guix.gnu.org/issue/28602
>
> If no answer before the next release [1], I will close it.

Well, 11 weeks later without an answer, I am closing.

Cheers,
simon