bug#27261: guix package -u should warn about non-existent packages

bug#27261: guix package -u should warn about non-existent packages

[Mark H Weaver]

In order to guard against users unwittingly using old software with
unpatched security flaws, "guix package -u" should issue a warning if
any packages in the profile that match the provided patterns are not
found in the set of available packages.

       Mark

bug#27261: guix package -u should warn about non-existent packages

[Ludovic Courtès]

Mark H Weaver <mhw@netris.org> skribis:

> In order to guard against users unwittingly using old software with
> unpatched security flaws, "guix package -u" should issue a warning if
> any packages in the profile that match the provided patterns are not
> found in the set of available packages.

Fixed in a1b46bdc069e6e3bbc5b171fafbc40213611ff1f, thanks!

Ludo’.

bug#27261: guix package -u should warn about non-existent packages

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1292 bytes --]

On Sun, Jun 25, 2017 at 10:30:10PM +0200, Ludovic Courtès wrote:
> Mark H Weaver <mhw@netris.org> skribis:
> > In order to guard against users unwittingly using old software with
> > unpatched security flaws, "guix package -u" should issue a warning if
> > any packages in the profile that match the provided patterns are not
> > found in the set of available packages.
> 
> Fixed in a1b46bdc069e6e3bbc5b171fafbc40213611ff1f, thanks!

I noticed this doesn't work in some cases, although I'm not sure exactly
when it will work and when it won't.

I ran `guix pull` after this missing package warning was implemented,
but before I pushed afc9d8ec2b724b67f (gnu: Add jmtpfs).

I installed jmtpfs from a Git checkout, and then ran `guix package -u .`

As expected, Guix complained that the jmtpfs package does not exist.

However, it did not complain about the syncthing package in my profile,
even though syncthing is not available in Guix. The syncthing package is
on a branch that's not checked out, and there is no stray
'gnu/packages/syncthing.go' file.

I thought it might be caused by the presence of the qsyncthingtray
package in Guix (not in my profile), but even after I deleted that
package and rebuilt Guix from a fresh checkout, I still had this
problem.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#27261: guix package -u should warn about non-existent packages

[Ludovic Courtès]

Hello,

Leo Famulari <leo@famulari.name> skribis:

> I ran `guix pull` after this missing package warning was implemented,
> but before I pushed afc9d8ec2b724b67f (gnu: Add jmtpfs).
>
> I installed jmtpfs from a Git checkout, and then ran `guix package -u .`
>
> As expected, Guix complained that the jmtpfs package does not exist.
>
> However, it did not complain about the syncthing package in my profile,
> even though syncthing is not available in Guix. The syncthing package is
> on a branch that's not checked out, and there is no stray
> 'gnu/packages/syncthing.go' file.

Could you check whether “guix package -A syncthing” shows it there?  The
warning should appear as soon as we’re upgrading a package that’s
missing.

Thanks,
Ludo’.

bug#27261: guix package -u should warn about non-existent packages

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1012 bytes --]

On Mon, Jun 26, 2017 at 10:01:03AM +0200, Ludovic Courtès wrote:
> Could you check whether “guix package -A syncthing” shows it there?  The
> warning should appear as soon as we’re upgrading a package that’s
> missing.

I get no results when I do `./pre-inst-env guix package -A syncthing`
from the repo where I removed qsyncthingtray.

`guix package -A syncthing` shows a result for qsyncthingtray, because
that is a "plain" Guix, from `guix pull`, set up as described in Binary
Installation:

$ ls -l $(which guix)
lrwxrwxrwx 1 root staff 54 Aug 14  2015 /usr/local/bin/guix -> /var/guix/profiles/per-user/root/guix-profile/bin/guix
$ ls -l ~/.config/guix/latest 
lrwxrwxrwx 1 leo leo 55 Jun 25 19:19 /home/leo/.config/guix/latest -> /gnu/store/jbrn4pixmrqmqk8jmx533cnqhjhm17sb-guix-latest

But, that's not the Guix that I expect to be queried for packages. Maybe
there is some unexpected interaction between the various copies of Guix?

I'll try this on GuixSD today or tomrrow.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#27261: guix package -u should warn about non-existent packages

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 755 bytes --]

Leo Famulari <leo@famulari.name> writes:

> On Mon, Jun 26, 2017 at 10:01:03AM +0200, Ludovic Courtès wrote:
>> Could you check whether “guix package -A syncthing” shows it there?  The
>> warning should appear as soon as we’re upgrading a package that’s
>> missing.
>
> I get no results when I do `./pre-inst-env guix package -A syncthing`
> from the repo where I removed qsyncthingtray.

I just came across this today too on a GuixSD system. `guix package -u`
warned that my not-yet-upstream "icedtea-web" package does not exist,
but had no problem with "chromium" installed the same way.

No GUIX_PACKAGE_PATH, and ~/.config/guix/latest is a symlink to a `guix
pull` build. The packages were installed through `./pre-inst-env`.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

bug#27261: guix package -u should warn about non-existent packages

[Ludovic Courtès]

Marius Bakke <mbakke@fastmail.com> skribis:

> Leo Famulari <leo@famulari.name> writes:
>
>> On Mon, Jun 26, 2017 at 10:01:03AM +0200, Ludovic Courtès wrote:
>>> Could you check whether “guix package -A syncthing” shows it there?  The
>>> warning should appear as soon as we’re upgrading a package that’s
>>> missing.
>>
>> I get no results when I do `./pre-inst-env guix package -A syncthing`
>> from the repo where I removed qsyncthingtray.
>
> I just came across this today too on a GuixSD system. `guix package -u`
> warned that my not-yet-upstream "icedtea-web" package does not exist,
> but had no problem with "chromium" installed the same way.
>
> No GUIX_PACKAGE_PATH, and ~/.config/guix/latest is a symlink to a `guix
> pull` build. The packages were installed through `./pre-inst-env`.

Hmm it all depends on whether the packages are visible to Guix via
GUIX_PACKAGE_PATH.  Are you using the same Guix in both cases?  No
‘sudo’?

Ludo’.

bug#27261: guix package -u should warn about non-existent packages

[Ludovic Courtès]

Hi Leo,

Leo Famulari <leo@famulari.name> skribis:

> On Mon, Jun 26, 2017 at 10:01:03AM +0200, Ludovic Courtès wrote:
>> Could you check whether “guix package -A syncthing” shows it there?  The
>> warning should appear as soon as we’re upgrading a package that’s
>> missing.
>
> I get no results when I do `./pre-inst-env guix package -A syncthing`
> from the repo where I removed qsyncthingtray.

So does “./pre-inst-env guix package -u syncthing” raise a warning?
It should.

> `guix package -A syncthing` shows a result for qsyncthingtray, because
> that is a "plain" Guix, from `guix pull`, set up as described in Binary
> Installation:
>
> $ ls -l $(which guix)
> lrwxrwxrwx 1 root staff 54 Aug 14  2015 /usr/local/bin/guix -> /var/guix/profiles/per-user/root/guix-profile/bin/guix
> $ ls -l ~/.config/guix/latest 
> lrwxrwxrwx 1 leo leo 55 Jun 25 19:19 /home/leo/.config/guix/latest -> /gnu/store/jbrn4pixmrqmqk8jmx533cnqhjhm17sb-guix-latest
>
> But, that's not the Guix that I expect to be queried for packages. Maybe
> there is some unexpected interaction between the various copies of Guix?

I don’t think so.  But maybe I’m missing something!

Ludo’.