Hey Guix, Here's some additional information. Diego Nicola Barbato writes: > The attached patch fixes a bug where e.g. > > guix build -s i686-linux ffmpeg > > builds a different derivation on i686-linux than on x86_64-linux. This > doesn't just affect ffmpeg but a whole class of packages which use or > depend on a package that uses 'url-fetch/tarbomb' or 'url-fetch/zipbomb' > as the origin method of its source. That's around 334 packages, among > them diffoscope, enlightenment, gnome, ungoogled-chromium, and wine. The number (348 for commit 151f3d4) and full list of affected packages can be computed by loading the attached script [0] into `guix repl' and running `(show-affected-packages)'. > The problem is fixed by explicitly passing the correct #:system and > #:guile-for-build to 'gexp->derivation' (as is done in other origin > methods such as 'git-fetch' or 'hg-fetch'). > > This shouldn't trigger any rebuils as it only affects the behaviour of > `guix build -s $system $package' if $system differs from the system type > of Guix itself. A closer look at some derivations and outputs suggests that this patch will actually trigger rebuilds for all affected packages on all systems except x86_64 because the build farm currently builds the wrong derivations as can be seen for e.g. QEMU by comparing the build on Cuirass https://ci.guix.gnu.org/build/2442001/details with the derivations computed by guix build -s i686-linux --no-grafts -d qemu on i686-linux and x86_64-linux (commit 151f3d4) respectively: Cuirass: /gnu/store/wc2k8h4iahbnfvl35220hvdx6mc70v7l-qemu-4.2.0.drv /gnu/store/fjg87f21qdzi7h5pqsxpd6rlf9mcy58h-qemu-4.2.0 <~ i686-linux: /gnu/store/019ccjdh1nxfkpjyzwmirvif1ra9v3lh-qemu-4.2.0.drv /gnu/store/8a0cg5ip9967y54gkwskfxmiwwk9mf1b-qemu-4.2.0 x86_64-linux: /gnu/store/iajzrw7lahcyhgyr7anmcjxa33607nqh-qemu-4.2.0.drv /gnu/store/fjg87f21qdzi7h5pqsxpd6rlf9mcy58h-qemu-4.2.0 <~ Consequently no substitutes are available for the affected packages on systems other than x86_64-linux as witnessed by the different number of available substitutes reported by guix weather -s i686-linux -m tarbomb-zipbomb-manifest-small.scm on i686-linux --8<---------------cut here---------------start------------->8--- computing 37 package derivations for i686-linux... looking for 37 store items on https://ci.guix.gnu.org... https://ci.guix.gnu.org 18.9% substitutes available (7 out of 37) at least 2.3 MiB of nars (compressed) 5.1 MiB on disk (uncompressed) 0.001 seconds per request (0.0 seconds in total) 1028.5 requests per second 'https://ci.guix.gnu.org/api/queue?nr=1000' returned 504 ("Gateway Time-out") --8<---------------cut here---------------end--------------->8--- and on x86_64-linux --8<---------------cut here---------------start------------->8--- computing 37 package derivations for i686-linux... looking for 37 store items on https://ci.guix.gnu.org... https://ci.guix.gnu.org 81.1% substitutes available (30 out of 37) at least 165.9 MiB of nars (compressed) 423.3 MiB on disk (uncompressed) 0.001 seconds per request (0.1 seconds in total) 703.3 requests per second 'https://ci.guix.gnu.org/api/queue?nr=1000' returned 504 ("Gateway Time-out") --8<---------------cut here---------------end--------------->8--- I have attached manifest files for the packages directly using `url-fetch/tarbomb' or `url-fetch/zipbomb' [1] and for all affected packages [2] (they use the aforementioned script). I think this patch can go on master even though it triggers more than 300 rebuilds, since there are currently no substitutes available for the affected packages anyway. Regards, Diego PS I hope I got all the terminology (e.g. computing vs. building a derivation) right. [0]: