unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#28749: guix build --subsitute-urls does not override guix-daemon run with --no-subsitutes
@ 2017-10-08 17:13 Drashne
  2017-10-09 19:20 ` Leo Famulari
  0 siblings, 1 reply; 6+ messages in thread
From: Drashne @ 2017-10-08 17:13 UTC (permalink / raw)
  To: 28749


[-- Attachment #1.1: Type: text/plain, Size: 1003 bytes --]

From the kind people on #guix, I've heard that "guix build --subsitute-urls" should override "guix-daemon --no-subsitutes", but it seems it's not doing so for me.

Here's the situation I ran in to:

While doing a "./pre-inst-env guix pull" I got an error about:

  output path `/gnu/store/53lj4z9cavl7n27r89zjnvyd8fk854kj-libgit2-0.26.0.tar.gz' should have sha256 hash `1fdk9yhwvl1w1z71ykzcvgh4nsf8scxcbclz5anh98zpplmhmisa', instead has `
1b3figbhp5l83vd37vq6j2narrq4yl9pfw6mw0px0dzb1hz3jqka'

So I tried "./pre-inst-env guix build --source libgit2 --substitute-urls=[https://mirror.hydra.gnu.org"](https://mirror.hydra.gnu.org)
but it redirected me to https://codeload.github.com/libgit2/libgit2/tar.gz/v0.26.0
which had the wrong hash.

Attached is the full log of that failed attempt.  This was done while guix-daemon was run with the --no-subsitutes option.

Then I killed guix-daemon and restarted it without --no-subsitutes, and did the same thing and it worked (log of the success also attached).

[-- Attachment #1.2: Type: text/html, Size: 1337 bytes --]

[-- Attachment #2: libgit2-substitute-failed-while-guix-daemon-run-with-no-substitutes.txt --]
[-- Type: text/plain, Size: 1591 bytes --]

sh-4.3$ ./pre-inst-env guix build --source libgit2 --substitute-urls=https://mirror.hydra.gnu.org
The following derivations will be built:
   /gnu/store/5szrmzmfgxk6pylk5fh9bk8apj4x8axf-libgit2-0.26.0.tar.xz.drv
   /gnu/store/mgh4yjxkxfyqmc7c61vwq4vs8v837602-libgit2-0.26.0.tar.gz.drv
@ build-started /gnu/store/mgh4yjxkxfyqmc7c61vwq4vs8v837602-libgit2-0.26.0.tar.gz.drv - x86_64-linux /var/log/guix/drvs/mg//h4yjxkxfyqmc7c61vwq4vs8v837602-libgit2-0.26.0.tar
.gz.drv.bz2

Starting download of /gnu/store/53lj4z9cavl7n27r89zjnvyd8fk854kj-libgit2-0.26.0.tar.gz
From https://github.com/libgit2/libgit2/archive/v0.26.0.tar.gz...
following redirection to `https://codeload.github.com/libgit2/libgit2/tar.gz/v0.26.0'...
 v0.26.0                                     4.2MiB/s 00:01 | 4.5MiB transferred
output path `/gnu/store/53lj4z9cavl7n27r89zjnvyd8fk854kj-libgit2-0.26.0.tar.gz' should have sha256 hash `1fdk9yhwvl1w1z71ykzcvgh4nsf8scxcbclz5anh98zpplmhmisa', instead has `
1b3figbhp5l83vd37vq6j2narrq4yl9pfw6mw0px0dzb1hz3jqka'
@ build-failed /gnu/store/mgh4yjxkxfyqmc7c61vwq4vs8v837602-libgit2-0.26.0.tar.gz.drv - 1 output path `/gnu/store/53lj4z9cavl7n27r89zjnvyd8fk854kj-libgit2-0.26.0.tar.gz' shou
ld have sha256 hash `1fdk9yhwvl1w1z71ykzcvgh4nsf8scxcbclz5anh98zpplmhmisa', instead has `1b3figbhp5l83vd37vq6j2narrq4yl9pfw6mw0px0dzb1hz3jqka'
cannot build derivation `/gnu/store/5szrmzmfgxk6pylk5fh9bk8apj4x8axf-libgit2-0.26.0.tar.xz.drv': 1 dependencies couldn't be built
guix build: error: build failed: build of `/gnu/store/5szrmzmfgxk6pylk5fh9bk8apj4x8axf-libgit2-0.26.0.tar.xz.drv' failed

[-- Attachment #3: libgit2-substitute-succeeded-while-guix-daemon-run-without-no-substitutes.txt --]
[-- Type: text/plain, Size: 993 bytes --]

sh-4.3$ ./pre-inst-env guix build --source libgit2 --substitute-urls=https://mirror.hydra.gnu.org
substitute: updating list of substitutes from 'https://mirror.hydra.gnu.org'... 100.0%
2.8 MB will be downloaded:
   /gnu/store/s62d5lbr6sb7x0mxhhdwf13in7yi8mbc-libgit2-0.26.0.tar.xz
substitute: updating list of substitutes from 'https://mirror.hydra.gnu.org'... 100.0%
@ substituter-started /gnu/store/s62d5lbr6sb7x0mxhhdwf13in7yi8mbc-libgit2-0.26.0.tar.xz /gnu/store/vir3lrwqy50pr8fkaf3m091dgbrja2n6-guix-0.13.0/libexec/guix/substitute
Downloading https://mirror.hydra.gnu.org/guix/nar/s62d5lbr6sb7x0mxhhdwf13in7yi8mbc-libgit2-0.26.0.tar.xz (2.7MiB installed)...
 libgit2-0.26.0.tar.xz  2.7MiB                                                                                                  2.3MiB/s 00:01 [####################] 100.0%

@ substituter-succeeded /gnu/store/s62d5lbr6sb7x0mxhhdwf13in7yi8mbc-libgit2-0.26.0.tar.xz
/gnu/store/s62d5lbr6sb7x0mxhhdwf13in7yi8mbc-libgit2-0.26.0.tar.xz

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#28749: guix build --subsitute-urls does not override guix-daemon run with --no-subsitutes
  2017-10-08 17:13 bug#28749: guix build --subsitute-urls does not override guix-daemon run with --no-subsitutes Drashne
@ 2017-10-09 19:20 ` Leo Famulari
  2017-10-13 13:59   ` Maxim Cournoyer
  0 siblings, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2017-10-09 19:20 UTC (permalink / raw)
  To: Drashne; +Cc: 28749-done

[-- Attachment #1: Type: text/plain, Size: 1596 bytes --]

On Sun, Oct 08, 2017 at 01:13:16PM -0400, Drashne wrote:
> From the kind people on #guix, I've heard that "guix build
> --subsitute-urls" should override "guix-daemon --no-subsitutes", but
> it seems it's not doing so for me.

The documentation of guix-daemon [0] says this on the subject:

"When the daemon runs with --no-substitutes, clients can still
explicitly enable substitution via the set-build-options remote
procedure call (see The Store)."

So, there is a way for unprivileged users to enable substitution for
themselves even when the local administrator has disabled substitution,
but it's not via the --substitute-urls mechanism.

I'm closing this bug because I think it's mostly a case of having
received mistaken advice on #guix.

[0]
https://www.gnu.org/software/guix/manual/html_node/Invoking-guix_002ddaemon.html#Invoking-guix_002ddaemon

> Here's the situation I ran in to:
> 
> While doing a "./pre-inst-env guix pull" I got an error about:
> 
>   output path `/gnu/store/53lj4z9cavl7n27r89zjnvyd8fk854kj-libgit2-0.26.0.tar.gz' should have sha256 hash `1fdk9yhwvl1w1z71ykzcvgh4nsf8scxcbclz5anh98zpplmhmisa', instead has `
> 1b3figbhp5l83vd37vq6j2narrq4yl9pfw6mw0px0dzb1hz3jqka'
> 
> So I tried "./pre-inst-env guix build --source libgit2 --substitute-urls=[https://mirror.hydra.gnu.org"](https://mirror.hydra.gnu.org)
> but it redirected me to https://codeload.github.com/libgit2/libgit2/tar.gz/v0.26.0
> which had the wrong hash.

We are discussing how to handle unstable upstream sources more
gracefully here:

https://bugs.gnu.org/28659

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#28749: guix build --subsitute-urls does not override guix-daemon run with --no-subsitutes
  2017-10-09 19:20 ` Leo Famulari
@ 2017-10-13 13:59   ` Maxim Cournoyer
  2017-10-13 21:54     ` Leo Famulari
  0 siblings, 1 reply; 6+ messages in thread
From: Maxim Cournoyer @ 2017-10-13 13:59 UTC (permalink / raw)
  To: 28749; +Cc: drashne

Leo Famulari <leo@famulari.name> writes:

> On Sun, Oct 08, 2017 at 01:13:16PM -0400, Drashne wrote:
>> From the kind people on #guix, I've heard that "guix build
>> --subsitute-urls" should override "guix-daemon --no-subsitutes", but
>> it seems it's not doing so for me.
>
> The documentation of guix-daemon [0] says this on the subject:
>
> "When the daemon runs with --no-substitutes, clients can still
> explicitly enable substitution via the set-build-options remote
> procedure call (see The Store)."
>
> So, there is a way for unprivileged users to enable substitution for
> themselves even when the local administrator has disabled substitution,
> but it's not via the --substitute-urls mechanism.
>
> I'm closing this bug because I think it's mostly a case of having
> received mistaken advice on #guix.

Eh, I'm sorry I was the one suggesting to open this bug report in the
first place!

Although, I would argue that the current behavior is
non-intuitive. While true that the manual skim about how one can achieve
this, the reference to "The Store" is not helpful; it doesn't even
mention the "set-build-options" procedure. Also, leaving the command
line to plug directly into Guix's API from Guile is inconvenient at best.

It seems to me that the current behavior of other options that affect
the guix-daemon operation are that user options override the
corresponding guix-daemon defaults; maybe that's what lead me and others
to think that --substitute-urls should attempt to do what the user
desires?

Otherwise, we could at least give advice on the output of a Guix command
when the user passed --substitute-urls when the guix-daemon substitutes
were disabled to make this clear(er).

My 2 cents,

Maxim

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#28749: guix build --subsitute-urls does not override guix-daemon run with --no-subsitutes
  2017-10-13 13:59   ` Maxim Cournoyer
@ 2017-10-13 21:54     ` Leo Famulari
  2017-10-14 13:23       ` Ricardo Wurmus
  0 siblings, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2017-10-13 21:54 UTC (permalink / raw)
  To: Maxim Cournoyer; +Cc: drashne, 28749

[-- Attachment #1: Type: text/plain, Size: 1043 bytes --]

On Fri, Oct 13, 2017 at 09:59:18AM -0400, Maxim Cournoyer wrote:
> Although, I would argue that the current behavior is
> non-intuitive. While true that the manual skim about how one can achieve
> this, the reference to "The Store" is not helpful; it doesn't even
> mention the "set-build-options" procedure. Also, leaving the command
> line to plug directly into Guix's API from Guile is inconvenient at best.
> 
> It seems to me that the current behavior of other options that affect
> the guix-daemon operation are that user options override the
> corresponding guix-daemon defaults; maybe that's what lead me and others
> to think that --substitute-urls should attempt to do what the user
> desires?

Yeah, maybe it should be changed to be consistent with the behavior of
the other options.

> Otherwise, we could at least give advice on the output of a Guix command
> when the user passed --substitute-urls when the guix-daemon substitutes
> were disabled to make this clear(er).

Agreed, we should at least do that.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#28749: guix build --subsitute-urls does not override guix-daemon run with --no-subsitutes
  2017-10-13 21:54     ` Leo Famulari
@ 2017-10-14 13:23       ` Ricardo Wurmus
  2017-10-14 16:41         ` Leo Famulari
  0 siblings, 1 reply; 6+ messages in thread
From: Ricardo Wurmus @ 2017-10-14 13:23 UTC (permalink / raw)
  To: Leo Famulari; +Cc: drashne, Maxim Cournoyer, 28749


Leo Famulari <leo@famulari.name> writes:

> On Fri, Oct 13, 2017 at 09:59:18AM -0400, Maxim Cournoyer wrote:
>> Although, I would argue that the current behavior is
>> non-intuitive. While true that the manual skim about how one can achieve
>> this, the reference to "The Store" is not helpful; it doesn't even
>> mention the "set-build-options" procedure. Also, leaving the command
>> line to plug directly into Guix's API from Guile is inconvenient at best.
>>
>> It seems to me that the current behavior of other options that affect
>> the guix-daemon operation are that user options override the
>> corresponding guix-daemon defaults; maybe that's what lead me and others
>> to think that --substitute-urls should attempt to do what the user
>> desires?
>
> Yeah, maybe it should be changed to be consistent with the behavior of
> the other options.

I don’t know.  Substitute sources have to authorized before downloaded
substitutes are accepted by the daemon.  This authorization happens as
the root user, as it constitutes a system-wide change.

When the daemon is run by the root user to disable substitutes
system-wide, maybe we should not let users override that decision, just
like we don’t let them override from what server binaries are to be
accepted.

I’m not convinced by the reasoning above, but I’d like to offer this
thought for consideration anyway.

>> Otherwise, we could at least give advice on the output of a Guix command
>> when the user passed --substitute-urls when the guix-daemon substitutes
>> were disabled to make this clear(er).
>
> Agreed, we should at least do that.

Yes, this is a good idea.

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#28749: guix build --subsitute-urls does not override guix-daemon run with --no-subsitutes
  2017-10-14 13:23       ` Ricardo Wurmus
@ 2017-10-14 16:41         ` Leo Famulari
  0 siblings, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2017-10-14 16:41 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: drashne, Maxim Cournoyer, 28749

[-- Attachment #1: Type: text/plain, Size: 643 bytes --]

On Sat, Oct 14, 2017 at 03:23:45PM +0200, Ricardo Wurmus wrote:
> I don’t know.  Substitute sources have to authorized before downloaded
> substitutes are accepted by the daemon.  This authorization happens as
> the root user, as it constitutes a system-wide change.

I was thinking of situations where the subsitute signing key is
authorized, but substitutes are disabled system-wide.

I don't have a use case for this configuration but, to me, it doesn't
seem far-fetched for multi-user systems. Maybe the administrator is
willing to let users trust substitutes, but doesn't want to do it for
the privileged Guix installation.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2017-10-14 16:43 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-08 17:13 bug#28749: guix build --subsitute-urls does not override guix-daemon run with --no-subsitutes Drashne
2017-10-09 19:20 ` Leo Famulari
2017-10-13 13:59   ` Maxim Cournoyer
2017-10-13 21:54     ` Leo Famulari
2017-10-14 13:23       ` Ricardo Wurmus
2017-10-14 16:41         ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).