[TIL] guix doesn't check hash when uri starts with file:///

[TIL] guix doesn't check hash when uri starts with file:///

[Rodrigo Morales]

I've opened this thread to share something which I've learned with
other Guix users.

I'm currently making some modifications to the source code of zathura
, which is a PDF viewer. The original Guix package is called
=zathura=. In that direction, I've defined the following package
definition.

#+BEGIN_SRC scheme
(define-module (my packages experiments-zathura-custom)
  #:use-module (guix packages)
  #:use-module (guix download)
  #:use-module (gnu packages pdf)
  #:use-module (gnu packages gnome))

(define-public zathura-custom
  (package
   (inherit zathura)
   (name "zathura-custom")
   (version "4.0")
   (source
    (origin
     (method url-fetch)
     (uri "file:///home/rdrg/my/git-repos/zathura")
     (sha256
      (base32
       "0000000000000000000000000000000000000000000000000000"))))
   (native-inputs
    (modify-inputs
     (package-native-inputs zathura)
     (prepend json-glib)))))
#+END_SRC

The actual hash of the directory =file:///home/rdrg/my/git-repos/zathura= is
=0jc8iivcahq7izbcxr1kf3gjxlzkmf8ccrq54pv6v13h5wjk56jk2=, but I wrote
=0000000000000000000000000000000000000000000000000000= and I can still
the package by executing the following command (see proof below).

#+BEGIN_SRC sh
guix package --no-substitutes -L ~/my/git-repos/guix-packages/ -i zathura-custom
#+END_SRC

#+RESULTS:
#+BEGIN_EXAMPLE
The following package will be upgraded:
   zathura-custom 3.0 → my-version-1

The following derivation will be built:
  /gnu/store/nbqq72vkrjjw4vpdsbckyvk5cxk4add6-zathura-custom-my-version-1.drv

building /gnu/store/nbqq72vkrjjw4vpdsbckyvk5cxk4add6-zathura-custom-my-version-1.drv...
The following derivation will be built:
  /gnu/store/9sasyz1dp9qj2gaz9i2qrjzvnhyrl7pj-profile.drv

applying 19 grafts for zathura-custom-my-version-1 ...
building CA certificate bundle...
listing Emacs sub-directories...
building fonts directory...
generating GdkPixbuf loaders cache...
generating GLib schema cache...
creating GTK+ icon theme cache...
building cache files for GTK+ input methods...
building directory of Info manuals...
building XDG desktop file cache...
building XDG MIME database...
building profile with 6 packages...
hint: Consider setting the necessary environment variables by running:

     GUIX_PROFILE="/home/rdrg/.guix-profile"
     . "$GUIX_PROFILE/etc/profile"

Alternately, see `guix package --search-paths -p "/home/rdrg/.guix-profile"'.
#+END_EXAMPLE

#+BEGIN_SRC sh
echo $?
#+END_SRC

#+RESULTS:
#+BEGIN_EXAMPLE
0
#+END_EXAMPLE

Now when I change the =uri= so that it starts with =https= (please see
below) and I try to install the package, I get the error shown below.

#+BEGIN_SRC scheme
(define-module (my packages experiments-zathura-custom)
  #:use-module (guix packages)
  #:use-module (guix download)
  #:use-module (gnu packages pdf)
  #:use-module (gnu packages gnome))

(define-public zathura-custom
  (package
   (inherit zathura)
   (name "zathura-custom")
   (version "my-version-3")
   (source
    (origin
     (method url-fetch)
     (uri "https://pwmt.org/projects/zathura/download/zathura-0.5.2.tar.xz")
     (sha256
      (base32
       "0000000000000000000000000000000000000000000000000000"))))
   (native-inputs
    (modify-inputs
     (package-native-inputs zathura)
     (prepend json-glib)))))
#+END_SRC

#+BEGIN_SRC sh
guix package --no-substitutes -L ~/my/git-repos/guix-packages/ -i zathura-custom
#+END_SRC

#+RESULTS:
#+BEGIN_EXAMPLE
The following package will be upgraded:
   zathura-custom my-version-2 → my-version-3

The following derivations will be built:
  /gnu/store/32prmnm2f65wv3vg645c321884qz6991-zathura-custom-my-version-3.drv
  /gnu/store/1lk541cdiv7q1zfwzjql4ail5dhvrzc6-zathura-0.5.2.tar.xz.drv

building /gnu/store/1lk541cdiv7q1zfwzjql4ail5dhvrzc6-zathura-0.5.2.tar.xz.drv...
\sha256 hash mismatch for
/gnu/store/3y83i49y4inc7iclg8x3pv1nnchvsjlx-zathura-0.5.2.tar.xz:
  expected hash: 0000000000000000000000000000000000000000000000000000
  actual hash:   15314m9chmh5jkrd9vk2h2gwcwkcffv2kjcxkd4v3wmckz5sfjy6
hash mismatch for store item
'/gnu/store/3y83i49y4inc7iclg8x3pv1nnchvsjlx-zathura-0.5.2.tar.xz'
build of /gnu/store/1lk541cdiv7q1zfwzjql4ail5dhvrzc6-zathura-0.5.2.tar.xz.drv
failed
View build log at
'/var/log/guix/drvs/1l/k541cdiv7q1zfwzjql4ail5dhvrzc6-zathura-0.5.2.tar.xz.drv.gz'.
cannot build derivation
`/gnu/store/32prmnm2f65wv3vg645c321884qz6991-zathura-custom-my-version-3.drv':
1 dependencies couldn't be built
guix package: error: build of
`/gnu/store/32prmnm2f65wv3vg645c321884qz6991-zathura-custom-my-version-3.drv'
failed
#+END_EXAMPLE

#+BEGIN_SRC sh
$ echo $?
#+END_SRC

#+RESULTS:
#+BEGIN_EXAMPLE
1
#+END_EXAMPLE

From the information shown above, I conclude that =guix= doesn't check
hash correctness when a URI starts with =file:///= but it does when it
starts with =https://=. (Please, correct me if I'm wrong.)

I personally like this behavior because I'm currently editing the
source code of Zathura and I wouldn't like to edit the package
definition to insert the correct hash whenever I make a change in any
of the files of the project directory.

This is not mentioned in the Info manual, but I think it should be
mentioned. The Info node that documents =url-fetch= is "(guix) origin
Reference".

Re: [TIL] guix doesn't check hash when uri starts with file:///

[Simon Tournier]

Hi,

On Wed, 20 Sep 2023 at 19:18, Rodrigo Morales <moralesrodrigo1100@gmail.com> wrote:

> #+BEGIN_SRC scheme
> (define-module (my packages experiments-zathura-custom)
>   #:use-module (guix packages)
>   #:use-module (guix download)
>   #:use-module (gnu packages pdf)
>   #:use-module (gnu packages gnome))
>
> (define-public zathura-custom
>   (package
>    (inherit zathura)
>    (name "zathura-custom")
>    (version "4.0")
>    (source
>     (origin
>      (method url-fetch)
>      (uri "file:///home/rdrg/my/git-repos/zathura")
>      (sha256
>       (base32
>        "0000000000000000000000000000000000000000000000000000"))))
>    (native-inputs
>     (modify-inputs
>      (package-native-inputs zathura)
>      (prepend json-glib)))))
> #+END_SRC

Here, is ’file:///home/rdrg/my/git-repos/zathura’ a file or a directory?


> The following package will be upgraded:
>    zathura-custom 3.0 → my-version-1

I am surprised because it is 4.0 and below my-version-3.  Maybe you
mixed your tests when reporting?


> I personally like this behavior because I'm currently editing the
> source code of Zathura and I wouldn't like to edit the package
> definition to insert the correct hash whenever I make a change in any
> of the files of the project directory.

You might be interested by --help-transform.  For instance,

--8<---------------cut here---------------start------------->8---
$ guix build zathura --with-source=zathura=/tmp/zathura-custom/zathura-mine.tar.xz 
The following derivation will be built:
  /gnu/store/h3j2l2zqp1shyk2ls59dp7zgz7dzp9vp-zathura-0.5.2.drv
building /gnu/store/h3j2l2zqp1shyk2ls59dp7zgz7dzp9vp-zathura-0.5.2.drv...
WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
starting phase `set-SOURCE-DATE-EPOCH'
phase `set-SOURCE-DATE-EPOCH' succeeded after 0.0 seconds
starting phase `set-paths'

[...]

successfully built /gnu/store/h3j2l2zqp1shyk2ls59dp7zgz7dzp9vp-zathura-0.5.2.drv
The following graft will be made:
   /gnu/store/8w2zzg4bb9qpf039srl83yfawkiakib4-zathura-0.5.2.drv
applying 19 grafts for zathura-0.5.2 ...
grafting '/gnu/store/6mkarn9hj5f8y3i5h9p7w2paf6r32199-zathura-0.5.2' -> '/gnu/store/jws5p175m3s70v3cnsabnf920icd03q9-zathura-0.5.2'...
successfully built /gnu/store/8w2zzg4bb9qpf039srl83yfawkiakib4-zathura-0.5.2.drv
/gnu/store/jws5p175m3s70v3cnsabnf920icd03q9-zathura-0.5.2
--8<---------------cut here---------------end--------------->8---


> This is not mentioned in the Info manual, but I think it should be
> mentioned. The Info node that documents =url-fetch= is "(guix) origin
> Reference".

Well, I do not think it is an expected behaviour.  And I am not able to
reproduced as reported in <https://issues.guix.gnu.org/issue/66633>.

Cheers,
simon