From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: bug#22990: Grafts leads to inefficient substitute info retrieval Date: Tue, 15 Mar 2016 14:49:55 -0400 Message-ID: <8737rrmv8s.fsf@netris.org> References: <8737rxx8gk.fsf@gnu.org> <87a8m4123s.fsf@gmail.com> <874mcazifb.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47821) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1afu3i-0005eb-K1 for bug-guix@gnu.org; Tue, 15 Mar 2016 14:51:14 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1afu3d-0006Ha-NT for bug-guix@gnu.org; Tue, 15 Mar 2016 14:51:10 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:52245) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1afu3Z-0006HL-Vn for bug-guix@gnu.org; Tue, 15 Mar 2016 14:51:05 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1afu3Z-00021d-OD for bug-guix@gnu.org; Tue, 15 Mar 2016 14:51:01 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <874mcazifb.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Sun, 13 Mar 2016 13:11:36 +0100") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: Alex Kost , 22990@debbugs.gnu.org ludo@gnu.org (Ludovic Court=C3=A8s) writes: > Alex Kost skribis: > >> Ludovic Court=C3=A8s (2016-03-11 19:52 +0300) wrote: >> >>> As of right now (v0.9.0-2007-g66a30a3), =E2=80=98graft-derivation=E2=80= =99 works either by: >>> >>> 1. Fetching substitute info about the things being built so that it >>> can determine its references, which in turns allows it to determine >>> whether they need to be grafted. >>> >>> 2. Building stuff, as a last resort, so that it can determine its >>> references. >> >> I noticed that #1 is happening even with --no-substitutes option. Is it >> intended? > > Not really, but I see this is because =E2=80=98substitutable-path-info=E2= =80=99 (called > from =E2=80=98references/substitutes=E2=80=99, called from =E2=80=98graft= -derivation=E2=80=99) works > regardless of whether substitutes are enabled: > > scheme@(guile-user)> ,use(guix) > scheme@(guile-user)> (define s (open-connection)) > scheme@(guile-user)> (set-build-options s #:use-substitutes? #f) > $2 =3D #t > scheme@(guile-user)> (valid-path? s "/gnu/store/qf2lm7jpiiyygxz8zq0r1ca1f= azv6smn-mutt-1.5.24") > $3 =3D #f > scheme@(guile-user)> (substitutable-path-info s '("/gnu/store/qf2lm7jpiiy= ygxz8zq0r1ca1fazv6smn-mutt-1.5.24")) > $4 =3D (#< path: "/gnu/store/qf2lm7jpiiyygxz8zq0r1ca1fazv6= smn-mutt-1.5.24" deriver: "/gnu/store/jcl9c3w463xa2g963q5a60rrd97y1g28-mutt= -1.5.24.drv" refs: ("/gnu/store/3gmzl5jpk700hqyr8p3kfg0vgcnw8d97-libassuan-= 2.4.2" "/gnu/store/b02lmk67jq1vcflk2m2bwzc8gmwmndqp-ncurses-6.0" "/gnu/stor= e/d3xdc2w87yw3raafwb9q34gxx4xqci8k-cyrus-sasl-2.1.26" "/gnu/store/pkasxagsa= 4z4viscfpl6sjszmdmwncl1-gcc-4.9.3-lib" "/gnu/store/qf2lm7jpiiyygxz8zq0r1ca1= fazv6smn-mutt-1.5.24" "/gnu/store/qvx4q6lbwi4s3cwr8wqaa7kcva0a5c4b-openssl-= 1.0.2f" "/gnu/store/sb40mddkia0brc814xkbnhxccfm32q3a-gpgme-1.6.0" "/gnu/sto= re/sgzfawy95pfn7nsw3xvmca58llm5zzbc-glibc-2.22" "/gnu/store/x2p2biyybcb2wac= 77qz9468asc5fm48i-perl-5.22.1" "/gnu/store/x8dmdlrn5qn0wrbcnngj55y3ab73h0pp= -bash-4.3.42" "/gnu/store/zpxg45dq67psrn4wmfk4l635h0si8q63-libgpg-error-1.2= 1") dl-size: 0 nar-size: 6661016>) Is the information from the substitute server authenticated by checking hydra's signature against the list of keys in /etc/guix/acls? The reason I ask is that if the set of runtime dependencies received is incomplete, it could lead to incorrect grafting, namely that references to compromised libraries could be retained. > However, substitutes are not downloaded, so in this regard > --no-substitutes is honored. It depends on the intent of --no-substitutes. If the intent is to avoid trusting the substitute server, then by relying on the accuracy of the runtime dependency data from Hydra, we are failing to honor that intent. That said, I think it's okay to document that --no-substitutes alone is not sufficient to avoid trusting a substitute server, and that the proper way to accomplish that is to make sure its key is not in /etc/guix/acls. What do you think? Thanks, Mark