Down with /bin/sh!

Down with /bin/sh!

[Ludovic Courtès]

Hello {N,Gu}ixers, and happy new year!

The ‘core-updates’ branch of Guix now makes it possible to build
packages in a chroot lacking /bin/sh.

It’s convenient to have /bin/sh in the chroot, because that’s basically
one of the files whose name is hardcoded in many places, from libc to
shebangs.

However, the problem with /bin/sh is that it’s out of control.  On
non-NixOS distros, it’s not necessarily Bash.  Someone with Dash as
/bin/sh may have different results than someone Bash as /bin/sh.  That’s
an “impurity”, with practical consequences on build reproducibility.

Another issue on non-NixOS distros is that /bin/sh is typically a
dynamically-linked executable.  So adding /bin to the chroot is not
enough; one typically needs to also add /lib* and /lib/*-linux-gnu to
the chroot.  At that point, there are many impurities, and a great
potential for non-reproducibility–which defeats the purpose of the chroot.


So, here’s how this is solved in ‘core-updates’.

  • Right after unpacking a source tarball, all the source files go
    through ‘patch-shebang’, which replaces any #!/bin/sh and similar
    with the right path.

  • Once configure has run, all makefiles that define the ‘SHELL’
    variable are patched similarly.

The GNU build system supports ‘CONFIG_SHELL’ and ‘SHELL’, which
simplifies things (info "(autoconf) config.status Invocation").

Occasionally, packages have references to /bin/sh elsewhere, which need
to be patched as well, notably:

  • the ‘system’ and ‘popen’ functions in the GNU libc;

  • the ‘default_shell’ variable in GNU make;

  • io.c in GNU Awk;

  • ice-9/popen.scm in GNU Guile.

For libc, referring to the compile-time Bash would retain a dependency
on the bootstrap environment.  So glibc is changed to contain a copy of
a statically-linked Bash in its store path, which it can refer to
(thanks to Shea and Lluís for the suggestion).

The bootstrap libc and awk need a different trick, though, since they
must be relocated (IOW, their path is not known in advance.)  The trick
is to search for ‘sh’ in $PATH, with these simple patches:

  http://git.savannah.gnu.org/cgit/guix.git/tree/distro/packages/patches/glibc-bootstrap-system.patch?h=core-updates
  http://git.savannah.gnu.org/cgit/guix.git/tree/distro/packages/patches/gawk-shell.patch?h=core-updates

(For security reasons, these patches are /not/ used in the final libc
and awk.)

So far, it seems that little or no manual tweaking is needed beyond the
above, so hopefully it’ll scale.  The main advantage is that it makes it
possible to use Guix reliably on non-NixOS distros; even on a distro
like NixOS, that’s one less impurity, and thus improved reproducibility.

Thanks,
Ludo’.

Re: Down with /bin/sh!

[Rob Vermaas]

[-- Attachment #1.1: Type: text/plain, Size: 701 bytes --]

Hi Ludo,

  • Right after unpacking a source tarball, all the source files go
>     through ‘patch-shebang’, which replaces any #!/bin/sh and similar
>     with the right path.
>

I would not like such a change in stdenv of nixpkgs, without an option to
disable this. For example, we use nix to build some packages that run
outside of nix, and for those, we do not want to replace all the references
to /bin/sh in all source files/scripts. I haven't thought of it much, but
in general I would like an approach better that would *not* change the
source code of packages by default, but only when it is really necessary.

Cheers,
Rob

-- 
Rob Vermaas

[email] rob.vermaas@gmail.com

[-- Attachment #1.2: Type: text/html, Size: 1045 bytes --]

[-- Attachment #2: Type: text/plain, Size: 149 bytes --]

_______________________________________________
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: Down with /bin/sh!

[Ludovic Courtès]

Hi Rob!

Rob Vermaas <rob.vermaas@gmail.com> skribis:

>   • Right after unpacking a source tarball, all the source files go
>>     through ‘patch-shebang’, which replaces any #!/bin/sh and similar
>>     with the right path.
>>
>
> I would not like such a change in stdenv of nixpkgs, without an option to
> disable this. For example, we use nix to build some packages that run
> outside of nix, and for those, we do not want to replace all the references
> to /bin/sh in all source files/scripts.

I’m not sure what you mean by “run outside of Nix”.

The files that are patched are source files anyway.  Nixpkgs already has
a patch-shebang phase for installed files, which is what users notice.

> I haven't thought of it much, but in general I would like an approach
> better that would *not* change the source code of packages by default,
> but only when it is really necessary.

Well yeah, it’s a bit of a sledgehammer approach.  Still, it works
like a charm, and feels just like a natural extension of all our
craziness.  :-)

Thanks,
Ludo’.
_______________________________________________
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev