From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Subject: bug#32942: nss-certs not deterministic Date: Wed, 05 Dec 2018 15:01:25 +0100 Message-ID: <87woooxebu.fsf@gnu.org> References: <3974e5005881951012bb5e55a5bfabe2@lepiller.eu> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:58523) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gUXkZ-0002cz-Pr for bug-guix@gnu.org; Wed, 05 Dec 2018 09:02:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gUXkY-0007N4-Fp for bug-guix@gnu.org; Wed, 05 Dec 2018 09:02:03 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:57226) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gUXkY-0007Mv-Av for bug-guix@gnu.org; Wed, 05 Dec 2018 09:02:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1gUXkY-0001S5-7A for bug-guix@gnu.org; Wed, 05 Dec 2018 09:02:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <3974e5005881951012bb5e55a5bfabe2@lepiller.eu> (Julien Lepiller's message of "Fri, 05 Oct 2018 10:17:45 +0200") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Julien Lepiller Cc: 32942@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello, Julien Lepiller skribis: > While updating a profile, I found that nss-certs was not > deterministic. From ludo: > > $ wget -O - -q=20 > https://mirror.hydra.gnu.org/mbs5mavs3gi4y7xkywcwwjj9g3p1yjmv.narinfo| gr= ep Hash > NarHash: sha256:101v69xp1qzw9v6pgmbhw7gfdaic8vvs4v5l567lx7f2mjp25rla > $ wget -O - -q=20 > https://berlin.guixsd.org/mbs5mavs3gi4y7xkywcwwjj9g3p1yjmv.narinfo | > grep Hash > NarHash: sha256:08ziz714diyfq2klxy1nc0nhr5wa2vd356n9vizlq913a7an9a9s As shown above, berlin and hydra disagree on nss-certs. The difference is an encoding bug: --8<---------------cut here---------------start------------->8--- $ wget -O - https://berlin.guixsd.org/nar/gzip/xbj4fhad0lnz0ziflwi90gyqbls8= ains-nss-certs-3.39 |gunzip -c |guix archive -x /tmp/nss-certs.berlin $ wget -O - https://mirror.hydra.gnu.org/nar/gzip/xbj4fhad0lnz0ziflwi90gyqb= ls8ains-nss-certs-3.39 |gunzip -c |guix archive -x /tmp/nss-certs.hydra $ diff -ru /tmp/nss-certs.{hydra,berlin} Only in /tmp/nss-certs.hydra/etc/ssl/certs: AC_Ra=C3=ADz_Certic=C3=A1mara_S= .A.:2.15.7.126.82.147.123.224.21.227.87.240.105.140.203.236.12.pem Only in /tmp/nss-certs.berlin/etc/ssl/certs: AC_Ra?z_Certic?mara_S.A.:2.15.= 7.126.82.147.123.224.21.227.87.240.105.140.203.236.12.pem Only in /tmp/nss-certs.hydra/etc/ssl/certs: NetLock_Arany_=3DClass_Gold=3D_= F=C5=91tan=C3=BAs=C3=ADtv=C3=A1ny:2.6.73.65.44.228.0.16.pem Only in /tmp/nss-certs.berlin/etc/ssl/certs: NetLock_Arany_=3DClass_Gold=3D= _F?tan?s?tv?ny:2.6.73.65.44.228.0.16.pem --8<---------------cut here---------------end--------------->8--- The problem was already reported as and since commit 412701b0e5e073e6767eed162c14698db99df69c (July 2017) =E2=80=98= guix publish=E2=80=99 on GuixSD runs in a UTF-8 locale to avoid that problem. The faulty narinfo/nar on berlin were generated on Oct. 17, 2018, so clearly the above commit was in effect. Indeed, after removing them and regenerating them, I=E2=80=99m still getting 08ziz714diyfq2klxy1nc0nhr5wa2vd356n9vizlq913a7an9a9s (aka. the wrong hash). On closer inspection the problem is elsewhere: the /gnu/store/xbj4fhad0lnz0ziflwi90gyqbls8ains-nss-certs-3.39 directory on berlin has question marks in file names, so =E2=80=98guix publish=E2=80=99 = is not to blame; instead the problem likely comes from =E2=80=98guix offload=E2=80=99. Indeed =E2=80=98guix-daemon=E2=80=99 and its child processes such as =E2=80= =98guix offload=E2=80=99 run with an empty environment, and thus in the C locale. Specifically, =E2=80=98restore-file-set=E2=80=99 on the build farm front-end must be the = one substituting question marks to the non-ASCII characters. If this analysis is correct, the patch below should fix it. I=E2=80=99ll t= ry it later. Thanks, Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/gnu/services/base.scm b/gnu/services/base.scm index cee9898d79..9fe64e8087 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1603,7 +1603,15 @@ failed to register public key '~a': ~a~%" key status)))))))) '()) #$@(if tmpdir (list (string-append "TMPDIR=" tmpdir)) - '())) + '()) + + ;; Make sure we run in a UTF-8 locale so that 'guix + ;; offload' correctly restores nars that contain UTF-8 + ;; file names such as 'nss-certs'. See + ;; . + (string-append "GUIX_LOCPATH=" + #$glibc-utf8-locales "/lib/locale") + "LC_ALL=en_US.utf8") #:log-file #$log-file)) (stop #~(make-kill-destructor)))))) --=-=-=--