* Need help from Java-developers @ 2017-04-13 11:29 Hartmut Goebel 2017-04-23 8:41 ` Chris Marusich 0 siblings, 1 reply; 33+ messages in thread From: Hartmut Goebel @ 2017-04-13 11:29 UTC (permalink / raw) To: guix-devel [-- Attachment #1: Type: text/plain, Size: 2024 bytes --] Hi, as bootstrapping maven progresses (see my other post), the need for help from Java-developers arises. To finish all the work to be done after maven bootstrapping, some experienced Java developers are needed. The following questions need to be answered. * Designing the maven-build-system as follows: o How to maven commands map to our build phases? Should they map, should there be new ones? o Is there a need to clean up the pom-files prior to building, e.g. remove version numbers? o How to make the maven-build-system to never ever include other jar? Perhaps we need to post-process the generated jars. o How to handle pom-files (see below) * Which naming conventions should be used for packages? Maven has the notion of "group-id" and "atrtifact". Should this be kept? OTOH, there are very common packages like "commons-io" aka "apache-commons-io". * Where should the repo-files be kept in Guix? Debian seems to bot them into a dir-structure which I assume is leaned on some file-structure in the maven central repository. See <https://wiki.debian.org/Java/MavenRepoSpec> <https://wiki.debian.org/Java/MavenRepoHelper> and <https://packages.debian.org/jessie/maven-repo-helper> * Where to keep the pom-files? Are there other files we need (I've seen "effective pom", and "maven-fragments" in other distros)? Can or should we strip these files, like Debian seems to to with the maven-repo-helper? If so: What do we need? can this be done in guix, is there a maven-plugin, or …? * Help finding official sources, homepages, etc. for all packages. For many packages the data in the pom is outdated, since e.b. codehaus.org and code.google.com are gone. Please comment! -- Regards Hartmut Goebel | Hartmut Goebel | h.goebel@crazy-compilers.com | | www.crazy-compilers.com | compilers which you thought are impossible | [-- Attachment #2: 0xBF773B65.asc --] [-- Type: application/pgp-keys, Size: 15087 bytes --] ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: Need help from Java-developers 2017-04-13 11:29 Need help from Java-developers Hartmut Goebel @ 2017-04-23 8:41 ` Chris Marusich 2017-04-23 22:57 ` Chris Marusich 2017-04-25 8:44 ` Need help from Java-developers Ricardo Wurmus 0 siblings, 2 replies; 33+ messages in thread From: Chris Marusich @ 2017-04-23 8:41 UTC (permalink / raw) To: Hartmut Goebel; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 4334 bytes --] Hi Hartmut, I want to help, but I'm not sure how much help I can actually provide. I'm familiar with Java, but I've only worked a little bit with Maven. Please forgive me if I say anything that is inaccurate or naive! You probably know more about Maven than I do. Hartmut Goebel <h.goebel@crazy-compilers.com> writes: > Hi, > > as bootstrapping maven progresses (see my other post), the need for help > from Java-developers arises. > > To finish all the work to be done after maven bootstrapping, some > experienced Java developers are needed. The following questions need to > be answered. > > * Designing the maven-build-system as follows: > o How to maven commands map to our build phases? Should they map, > should there be new ones? I'm not sure, but whatever seems simplest and works is probably a good place to start. > o Is there a need to clean up the pom-files prior to building, > e.g. remove version numbers? Why would that be necessary? Will the presence of the version numbers interfere with the build somehow? > o How to make the maven-build-system to never ever include other > jar? Perhaps we need to post-process the generated jars. Speaking of JAR files, shouldn't we try to avoid them entirely? My understanding is that they are compressed files, which means the Guix daemon won't be able to scan them for references. I don't know if it's easy to use Maven to build a project without putting the build output into a JAR file, though. > o How to handle pom-files (see below) > > * Which naming conventions should be used for packages? Maven has the > notion of "group-id" and "atrtifact". Should this be kept? OTOH, > there are very common packages like "commons-io" aka > "apache-commons-io". Whatever is simplest to do is a good place to start. I think the name of the Guix package is what matters most, right? So, maybe the Guix package definition for apache-commons-io would be "java-apache-commons-io", but internally within Maven it would use some other name? I think this is less important than getting it working in the first place, so I have no strong opinions on this. > > * Where should the repo-files be kept in Guix? Debian seems to bot > them into a dir-structure which I assume is leaned on some > file-structure in the maven central repository. See > <https://wiki.debian.org/Java/MavenRepoSpec> > <https://wiki.debian.org/Java/MavenRepoHelper> and > <https://packages.debian.org/jessie/maven-repo-helper> > Am I correct in understanding that the "repo-filess" are the files that Maven uses for doing stuff like fulfilling the dependencies defined in the POM file? If so, then I guess we would need to pick an arbitrary subdirectory to use for this purpose, and that is where all Maven-built outputs will go. Would that work? Is it possible to create a "manifest of files" (e.g., an environment variable that points to many different locations in the store) that we can provide to the "maven-build-system"? If we could do that, maybe we could trick Maven into treating that collection of files (residing in the store) as its repository. It would be nice if we did not have to propagate all of the dependencies into a single directory just to enable Maven to discover them. > > * Where to keep the pom-files? Are there other files we need (I've > seen "effective pom", and "maven-fragments" in other distros)? Can > or should we strip these files, like Debian seems to to with the > maven-repo-helper? If so: What do we need? can this be done in guix, > is there a maven-plugin, or …? > I don't know. Does Maven expect the POM files for each project to reside in a specific location? > > * Help finding official sources, homepages, etc. for all >packages. For > many packages the data in the pom is outdated, since e.b. > codehaus.org and code.google.com are gone. For this, I'm sure it might be tough, but we will probably just have to figure it out on a case-by-case basis. I'm excited about the prospect of doing Java development with Guix. Thank you for helping to figure this complicated stuff out. I hope I can help a little, too. -- Chris [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: Need help from Java-developers 2017-04-23 8:41 ` Chris Marusich @ 2017-04-23 22:57 ` Chris Marusich 2017-04-25 19:28 ` JARs and reference scanning (was: Need help from Java-developers) Hartmut Goebel 2017-04-25 8:44 ` Need help from Java-developers Ricardo Wurmus 1 sibling, 1 reply; 33+ messages in thread From: Chris Marusich @ 2017-04-23 22:57 UTC (permalink / raw) To: Hartmut Goebel; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 1445 bytes --] Chris Marusich <cmmarusich@gmail.com> writes: >> o How to make the maven-build-system to never ever include other >> jar? Perhaps we need to post-process the generated jars. > > Speaking of JAR files, shouldn't we try to avoid them entirely? My > understanding is that they are compressed files, which means the Guix > daemon won't be able to scan them for references. I don't know if it's > easy to use Maven to build a project without putting the build output > into a JAR file, though. For the record, I looked into this a little more. I was mistaken: JAR files are not necessarily compressed. In fact, it seems [1][2] that it should always be possible to make un-compressed JARs. So, perhaps the Guix daemon will not have trouble scanning JARs for references, after all. (Whether or not any references will actually be retained in the JARs produced by Maven is another question; I don't know the answer.) [1] "The special value 0 instructs the packer to copy through the original JAR file directly, with no compression. The JSR 200 standard requires any unpacker to understand this special case as a pass-through of the entire archive." https://docs.oracle.com/javase/8/docs/api/java/util/jar/Pack200.Packer.html#EFFORT [2] "(Zero) Creates (c) or updates (u) the JAR file without using ZIP compression.": https://docs.oracle.com/javase/8/docs/technotes/tools/windows/jar.html -- Chris [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 33+ messages in thread
* JARs and reference scanning (was: Need help from Java-developers) 2017-04-23 22:57 ` Chris Marusich @ 2017-04-25 19:28 ` Hartmut Goebel 2017-04-26 5:34 ` JARs and reference scanning Chris Marusich 0 siblings, 1 reply; 33+ messages in thread From: Hartmut Goebel @ 2017-04-25 19:28 UTC (permalink / raw) To: Chris Marusich; +Cc: guix-devel Am 24.04.2017 um 00:57 schrieb Chris Marusich: > Chris Marusich <cmmarusich@gmail.com> writes: > >> Speaking of JAR files, shouldn't we try to avoid them entirely? My >> understanding is that they are compressed files, which means the Guix >> daemon won't be able to scan them for references. I don't know if it's >> easy to use Maven to build a project without putting the build output >> into a JAR file, though. > For the record, I looked into this a little more. I was mistaken: JAR > files are not necessarily compressed. In fact, it seems [1][2] that it > should always be possible to make un-compressed JARs. So, perhaps the > Guix daemon will not have trouble scanning JARs for references, after > all. (Whether or not any references will actually be retained in the > JARs produced by Maven is another question; I don't know the answer.) I have to admit that I do not know at all how the reference scanning and dependency-tracking in the store works. Regarding the jar-files ny understanding is: - JAR-files are Zip-files with additional data (as Ricardo already stated) - Zip-files can be used to store data without compressions (I assume this is what you are refering to). - My experience is that the contents of the JAR file can also be *unpacked* into the file-system, so not archives would be needed. Some Java guy might know better. I'm not sure it this is desired at all, though. - My understanding is that Java normally does not have any reference from one package (or jar-file) to another one. There is no such thing like "rpath" but is more like Python or Perl where the garbage collector AFAIK can not track references either. - According to [3, 2] the MANIFEST.INF file *may* specify a Class-Path containing the relative paths to other Jar-files. If this would help we *could* add references here, but the entry-length is limited to 65353 bytes, so we might hit this limit with the long paths of the store. - Fedora forbids to use this Class-Path entry in MANIFEST files [1]. - If it helps the garbage collector, we could add some ".dependencies" file alongside each Java package. But we don't do this for Python or Perl, either. [1] https://fedoraproject.org/wiki/Packaging:Java#No_class-path_in_MANIFEST.MF [2] https://en.wikipedia.org/wiki/JAR_(file_format)#Dependencies [3] http://docs.oracle.com/javase/6/docs/technotes/guides/jar/jar.html#JAR%20Manifest -- Regards Hartmut Goebel | Hartmut Goebel | h.goebel@crazy-compilers.com | | www.crazy-compilers.com | compilers which you thought are impossible | ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: JARs and reference scanning 2017-04-25 19:28 ` JARs and reference scanning (was: Need help from Java-developers) Hartmut Goebel @ 2017-04-26 5:34 ` Chris Marusich 2017-04-26 11:53 ` store reference detection (was Re: JARs and reference scanning) Thomas Danckaert 0 siblings, 1 reply; 33+ messages in thread From: Chris Marusich @ 2017-04-26 5:34 UTC (permalink / raw) To: Hartmut Goebel; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 3370 bytes --] Hartmut Goebel <h.goebel@crazy-compilers.com> writes: > Am 24.04.2017 um 00:57 schrieb Chris Marusich: >> Chris Marusich <cmmarusich@gmail.com> writes: >> >>> Speaking of JAR files, shouldn't we try to avoid them entirely? My >>> understanding is that they are compressed files, which means the Guix >>> daemon won't be able to scan them for references. I don't know if it's >>> easy to use Maven to build a project without putting the build output >>> into a JAR file, though. >> For the record, I looked into this a little more. I was mistaken: JAR >> files are not necessarily compressed. In fact, it seems [1][2] that it >> should always be possible to make un-compressed JARs. So, perhaps the >> Guix daemon will not have trouble scanning JARs for references, after >> all. (Whether or not any references will actually be retained in the >> JARs produced by Maven is another question; I don't know the answer.) > > I have to admit that I do not know at all how the reference scanning and > dependency-tracking in the store works. As I understand it, the mechanism used by the Guix daemon (and the Nix daemon) for scanning references doesn't work when the output of a derivation is scrambled in some way (e.g. compressed). Therefore, if we use JAR files, they should not be compressed. > Regarding the jar-files ny understanding is: > > - JAR-files are Zip-files with additional data (as Ricardo already stated) > - Zip-files can be used to store data without compressions (I assume > this is what you are refering to). > - My experience is that the contents of the JAR file can also be > *unpacked* into the file-system, so not archives would be needed. Some > Java guy might know better. I'm not sure it this is desired at all, though. > - My understanding is that Java normally does not have any reference > from one package (or jar-file) to another one. There is no such thing > like "rpath" but is more like Python or Perl where the garbage collector > AFAIK can not track references either. I don't think it's necessary to unpack them, as long as we can ensure they are not compressed. > - According to [3, 2] the MANIFEST.INF file *may* specify a Class-Path > containing the relative paths to other Jar-files. If this would help > we *could* add references here, but the entry-length is limited to > 65353 bytes, so we might hit this limit with the long paths of the > store. - Fedora forbids to use this Class-Path entry in MANIFEST > files [1]. - If it helps the garbage collector, we could add some > ".dependencies" file alongside each Java package. But we don't do this > for Python or Perl, either. That's an interesting idea. This would certainly make it clear which Java packages depend on which other packages (e.g., for garbage collection purposes), but this wouldn't by itself help Java (or Python, or Perl, etc.) actually find the classes. Some other stuff (propagation of inputs like we do with Python libraries, a Guix-managed CLASSPATH, a custom ClassLoader, etc.) would probably be needed to ensure that Java would be able to find the classes. Thank you for your work on this. It's easy for me to just give opinions, but you've actually done the real work. If I can find more time, I will try to look at what you've submitted to the list and help. -- Chris [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 33+ messages in thread
* store reference detection (was Re: JARs and reference scanning) 2017-04-26 5:34 ` JARs and reference scanning Chris Marusich @ 2017-04-26 11:53 ` Thomas Danckaert 2017-04-26 19:31 ` Maxim Cournoyer 2017-04-27 13:46 ` Ludovic Courtès 0 siblings, 2 replies; 33+ messages in thread From: Thomas Danckaert @ 2017-04-26 11:53 UTC (permalink / raw) To: cmmarusich; +Cc: guix-devel From: Chris Marusich <cmmarusich@gmail.com> Subject: Re: JARs and reference scanning Date: Tue, 25 Apr 2017 22:34:02 -0700 >> I have to admit that I do not know at all how the reference >> scanning and >> dependency-tracking in the store works. > > As I understand it, the mechanism used by the Guix daemon (and the > Nix > daemon) for scanning references doesn't work when the output of a > derivation is scrambled in some way (e.g. compressed). Therefore, > if we > use JAR files, they should not be compressed. The code scanning for reference is in nix/libstore/references.cc . It looks for base32 hashes encoded as character strings in the binaries. Could/should this be generalized somehow? Apart from compression, store filenames encoded with 16-bit character encodings also cause problems (can happen with Qt or WxWidgets). And the are probably more cases where it fails. Does it make sense to expand the reference detecting code (perhaps this would lead to too many different special cases?), or maybe provide a mechanism to force references when the daemon cannot detect them. I suppose you can always add a text file with a list of store items to the output, but maybe there's a more elegant way? Thomas ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-04-26 11:53 ` store reference detection (was Re: JARs and reference scanning) Thomas Danckaert @ 2017-04-26 19:31 ` Maxim Cournoyer 2017-04-27 13:46 ` Ludovic Courtès 1 sibling, 0 replies; 33+ messages in thread From: Maxim Cournoyer @ 2017-04-26 19:31 UTC (permalink / raw) To: guix-devel, Thomas Danckaert, cmmarusich On April 26, 2017 4:53:33 AM PDT, Thomas Danckaert <post@thomasdanckaert.be> wrote: [...] >The code scanning for reference is in nix/libstore/references.cc . >It looks for base32 hashes encoded as character strings in the >binaries. > >Could/should this be generalized somehow? Apart from compression, >store filenames encoded with 16-bit character encodings also cause >problems (can happen with Qt or WxWidgets). And the are probably >more cases where it fails. > >Does it make sense to expand the reference detecting code (perhaps >this would lead to too many different special cases?), or maybe >provide a mechanism to force references when the daemon cannot detect >them. I suppose you can always add a text file with a list of store >items to the output, but maybe there's a more elegant way? > >Thomas The text file idea with the dependencies that Hartmut proposed seems an elegant solution; it would make the reference searching process cheaper and available for any kind of format. ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-04-26 11:53 ` store reference detection (was Re: JARs and reference scanning) Thomas Danckaert 2017-04-26 19:31 ` Maxim Cournoyer @ 2017-04-27 13:46 ` Ludovic Courtès 2017-04-27 14:14 ` store reference detection Thomas Danckaert 2017-04-27 17:46 ` store reference detection (was Re: JARs and reference scanning) Hartmut Goebel 1 sibling, 2 replies; 33+ messages in thread From: Ludovic Courtès @ 2017-04-27 13:46 UTC (permalink / raw) To: Thomas Danckaert; +Cc: guix-devel Hello, Thomas Danckaert <post@thomasdanckaert.be> skribis: > From: Chris Marusich <cmmarusich@gmail.com> > Subject: Re: JARs and reference scanning > Date: Tue, 25 Apr 2017 22:34:02 -0700 > >>> I have to admit that I do not know at all how the reference >>> scanning and >>> dependency-tracking in the store works. >> >> As I understand it, the mechanism used by the Guix daemon (and the >> Nix >> daemon) for scanning references doesn't work when the output of a >> derivation is scrambled in some way (e.g. compressed). Therefore, >> if we >> use JAR files, they should not be compressed. > > The code scanning for reference is in nix/libstore/references.cc . It > looks for base32 hashes encoded as character strings in the binaries. > > Could/should this be generalized somehow? Apart from compression, > store filenames encoded with 16-bit character encodings also cause > problems (can happen with Qt or WxWidgets). And the are probably more > cases where it fails. Really? Qt/WxWidgets “hide” store references by default? > Does it make sense to expand the reference detecting code (perhaps > this would lead to too many different special cases?), or maybe > provide a mechanism to force references when the daemon cannot detect > them. I suppose you can always add a text file with a list of store > items to the output, but maybe there's a more elegant way? ‘propagated-inputs’ is one way to manually specify run-time references. It works at the package level and not at the store level—that is, the store item’s references are unaffected by what ‘propagated-inputs’ contains. It’s usually enough for our purposes though. In that sense, I think jars are comparable to Python/Perl libraries, which do not carry reference information by themselves and thus need a manually-provided ‘propagated-inputs’. WDYT? Ludo’. ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection 2017-04-27 13:46 ` Ludovic Courtès @ 2017-04-27 14:14 ` Thomas Danckaert 2017-04-27 17:46 ` store reference detection (was Re: JARs and reference scanning) Hartmut Goebel 1 sibling, 0 replies; 33+ messages in thread From: Thomas Danckaert @ 2017-04-27 14:14 UTC (permalink / raw) To: ludo; +Cc: guix-devel From: ludo@gnu.org (Ludovic Courtès) Subject: Re: store reference detection (was Re: JARs and reference scanning) Date: Thu, 27 Apr 2017 15:46:59 +0200 > Really? Qt/WxWidgets “hide” store references by default? Not by default. But there are cases were I've been bitten: - Qt has a “QStringLiteral”, which transforms your character literal to a UTF-16-encoded string at compile-time. For example the kdbusaddons source used such a literal to encode the kdeinit5 executable. (In this case I patched the code, replacing it by a regular string.) - Similarly, when I packaged DVDStyler (a wxWidgets program), I noticed it also uses wchar_t strings to encode the name of executables. (Here I used wrap-program to set the PATH, instead of embedding the full store location of the executables) >> Does it make sense to expand the reference detecting code (perhaps >> this would lead to too many different special cases?), or maybe >> provide a mechanism to force references when the daemon cannot >> detect >> them. I suppose you can always add a text file with a list of >> store >> items to the output, but maybe there's a more elegant way? > > ‘propagated-inputs’ is one way to manually specify run-time > references. > It works at the package level and not at the store level—that is, > the > store item’s references are unaffected by what ‘propagated-inputs’ > contains. It’s usually enough for our purposes though. > > In that sense, I think jars are comparable to Python/Perl libraries, > which do not carry reference information by themselves and thus > need a > manually-provided ‘propagated-inputs’. I think it's nice to avoid propagated inputs if possible, because they pollute the profile with things the user didn't strictly as for. So Hartmuts proposed workaround (embed dependencies in the .jar's, if it's really possible, and use a .deps text file in the store to enable reference detection) sounds better. Thomas ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-04-27 13:46 ` Ludovic Courtès 2017-04-27 14:14 ` store reference detection Thomas Danckaert @ 2017-04-27 17:46 ` Hartmut Goebel 2017-05-02 12:43 ` Ludovic Courtès 1 sibling, 1 reply; 33+ messages in thread From: Hartmut Goebel @ 2017-04-27 17:46 UTC (permalink / raw) To: guix-devel Am 27.04.2017 um 15:46 schrieb Ludovic Courtès: > ‘propagated-inputs’ is one way to manually specify run-time references. > It works at the package level and not at the store level—that is, the > store item’s references are unaffected by what ‘propagated-inputs’ > contains. It’s usually enough for our purposes though. I'm not sure if 'propagated-inputs' are enough. For example "python-passlib" as propagated-input python-py-bcrypt, but the later does not show up as reference, requisite nor referrer: $ ./pre-inst-env guix build --fallback python-passlib […] /gnu/store/n9h6wr1ydgz2a2az04jpswmnl756x48r-python-passlib-1.7.1 $ ./pre-inst-env guix gc -R /gnu/store/n9h6wr1ydgz2a2az04jpswmnl756x48r-python-passlib-1.7.1 /gnu/store/n9h6wr1ydgz2a2az04jpswmnl756x48r-python-passlib-1.7.1 $ ./pre-inst-env guix gc --references /gnu/store/n9h6wr1ydgz2a2az04jpswmnl756x48r-python-passlib-1.7.1 /gnu/store/n9h6wr1ydgz2a2az04jpswmnl756x48r-python-passlib-1.7.1 $ ./pre-inst-env guix gc --referrers /gnu/store/n9h6wr1ydgz2a2az04jpswmnl756x48r-python-passlib-1.7.1 /gnu/store/n9h6wr1ydgz2a2az04jpswmnl756x48r-python-passlib-1.7.1 -- Regards Hartmut Goebel | Hartmut Goebel | h.goebel@crazy-compilers.com | | www.crazy-compilers.com | compilers which you thought are impossible | ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-04-27 17:46 ` store reference detection (was Re: JARs and reference scanning) Hartmut Goebel @ 2017-05-02 12:43 ` Ludovic Courtès 2017-05-07 12:48 ` Hartmut Goebel 0 siblings, 1 reply; 33+ messages in thread From: Ludovic Courtès @ 2017-05-02 12:43 UTC (permalink / raw) To: Hartmut Goebel; +Cc: guix-devel Hartmut Goebel <h.goebel@crazy-compilers.com> skribis: > Am 27.04.2017 um 15:46 schrieb Ludovic Courtès: >> ‘propagated-inputs’ is one way to manually specify run-time references. >> It works at the package level and not at the store level—that is, the >> store item’s references are unaffected by what ‘propagated-inputs’ >> contains. It’s usually enough for our purposes though. > > I'm not sure if 'propagated-inputs' are enough. For example > "python-passlib" as propagated-input python-py-bcrypt, but the later > does not show up as reference, requisite nor referrer: Right, that’s what I meant by “not at the store level” above. Ludo’. ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-02 12:43 ` Ludovic Courtès @ 2017-05-07 12:48 ` Hartmut Goebel 2017-05-07 20:23 ` Chris Marusich 2017-05-12 6:18 ` Mark H Weaver 0 siblings, 2 replies; 33+ messages in thread From: Hartmut Goebel @ 2017-05-07 12:48 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel Am 02.05.2017 um 14:43 schrieb Ludovic Courtès: > Hartmut Goebel <h.goebel@crazy-compilers.com> skribis: > >> Am 27.04.2017 um 15:46 schrieb Ludovic Courtès: >>> ‘propagated-inputs’ is one way to manually specify run-time references. >>> It works at the package level and not at the store level—that is, the >>> store item’s references are unaffected by what ‘propagated-inputs’ >>> contains. It’s usually enough for our purposes though. >> I'm not sure if 'propagated-inputs' are enough. For example >> "python-passlib" as propagated-input python-py-bcrypt, but the later >> does not show up as reference, requisite nor referrer: > Right, that’s what I meant by “not at the store level” above. > > Ludo’. So I propose to add a small text file ".guix-dependencies' to all language's packages which do not add some kind of references themselves: Python, Perl, Java, etc. Question: How can the builder access the "propagated" inputs only? -- Regards Hartmut Goebel | Hartmut Goebel | h.goebel@crazy-compilers.com | | www.crazy-compilers.com | compilers which you thought are impossible | ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-07 12:48 ` Hartmut Goebel @ 2017-05-07 20:23 ` Chris Marusich 2017-05-08 7:06 ` Ricardo Wurmus 2017-05-12 6:18 ` Mark H Weaver 1 sibling, 1 reply; 33+ messages in thread From: Chris Marusich @ 2017-05-07 20:23 UTC (permalink / raw) To: Hartmut Goebel; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 3742 bytes --] Hartmut Goebel <h.goebel@crazy-compilers.com> writes: > Am 02.05.2017 um 14:43 schrieb Ludovic Courtès: >> Hartmut Goebel <h.goebel@crazy-compilers.com> skribis: >> >>> Am 27.04.2017 um 15:46 schrieb Ludovic Courtès: >>>> ‘propagated-inputs’ is one way to manually specify run-time references. >>>> It works at the package level and not at the store level—that is, the >>>> store item’s references are unaffected by what ‘propagated-inputs’ >>>> contains. It’s usually enough for our purposes though. >>> I'm not sure if 'propagated-inputs' are enough. For example >>> "python-passlib" as propagated-input python-py-bcrypt, but the later >>> does not show up as reference, requisite nor referrer: >> Right, that’s what I meant by “not at the store level” above. >> >> Ludo’. > So I propose to add a small text file ".guix-dependencies' to all > language's packages which do not add some kind of references themselves: > Python, Perl, Java, etc. What is the goal of doing this? If the goal is simply to make it so that the daemon will know what references are live, I'm not sure it's necessary, since the "propagated inputs" mechanism already accomplishes that goal. If the goal is to enable interpreters like Python, Perl, Java, etc. to discover their program's dependencies (e.g., so Java can import classes), then simply adding a .guix-dependencies file is not sufficient by itself. We would also need "something else" that (using the .guix-dependencies file) arranges for the relevant interpreter to discover those specified dependencies. As far as I know, no design for that "something else" has been proposed. Currently, our options are limited because we are relying on the default import mechanism for our interpreters. For example, in the case of Python, I believe we are using "propagated inputs" so that the default import mechanism finds the modules. (Please correct me if I'm mistaken.) If we were to modify the import mechanism, it might not be necessary to use propagated inputs at all. There are probably many ways to accomplish that. For example, in Java, perhaps we could implement a custom classloader. Or maybe we could patch the built-in class loading mechanism [1]. Similarly, in Python there are also ways to customize the import mechanism [2]. Perhaps Perl also has a similar mechanism? This kind of low-level fiddling might sound drastic, but it isn't without precedent. Nix has already demonstrated that customizing the dynamic linker [3] and the ELF executable files [4] is not a crazy idea. In fact, Nix and Guix wouldn't work without such customizations. So, maybe it's time we thought about "fiddling" with the way these interpreters (Java, Python, Perl, etc.) find their dependencies, too. [1] These classes appear to be involved in the default loading process, so they would be the place to start looking, I think: http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/687fd7c7986d/src/share/classes/sun/misc/Launcher.java#l259 http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/687fd7c7986d/src/share/classes/java/net/URLClassLoader.java#l356 http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/687fd7c7986d/src/share/classes/sun/misc/URLClassPath.java#l62 [2] https://docs.python.org/3/reference/import.html#importsystem [3] https://sandervanderburg.blogspot.co.uk/2015/10/deploying-prebuilt-binary-software-with.html [4] https://github.com/NixOS/patchelf > > Question: How can the builder access the "propagated" inputs only? Can you clarify what you mean? I don't understand the question, and I don't want to assume you meant one thing when you actually meant something different. -- Chris [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-07 20:23 ` Chris Marusich @ 2017-05-08 7:06 ` Ricardo Wurmus 2017-05-08 14:11 ` Ludovic Courtès 2017-05-11 8:41 ` Chris Marusich 0 siblings, 2 replies; 33+ messages in thread From: Ricardo Wurmus @ 2017-05-08 7:06 UTC (permalink / raw) To: Chris Marusich; +Cc: guix-devel Chris Marusich <cmmarusich@gmail.com> writes: > There are probably many ways to accomplish that. For example, in Java, > perhaps we could implement a custom classloader. Or maybe we could > patch the built-in class loading mechanism [1]. Similarly, in Python > there are also ways to customize the import mechanism [2]. Perhaps Perl > also has a similar mechanism? Jar files can be told to import classes from another Jar by adding it to the “Class-Path” field of the Jar’s manifest. Here’s an example: https://docs.oracle.com/javase/tutorial/deployment/jar/downman.html I don’t know if this mechanism permits the use of absolute paths, but it’s worth a try. I should note that this doesn’t help with store reference detection, because the manifest will be part of the compressed Jar. But if this works we could avoid propagation for Java packages. -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-08 7:06 ` Ricardo Wurmus @ 2017-05-08 14:11 ` Ludovic Courtès 2017-05-11 8:41 ` Chris Marusich 1 sibling, 0 replies; 33+ messages in thread From: Ludovic Courtès @ 2017-05-08 14:11 UTC (permalink / raw) To: Ricardo Wurmus; +Cc: guix-devel Ricardo Wurmus <rekado@elephly.net> skribis: > Chris Marusich <cmmarusich@gmail.com> writes: > >> There are probably many ways to accomplish that. For example, in Java, >> perhaps we could implement a custom classloader. Or maybe we could >> patch the built-in class loading mechanism [1]. Similarly, in Python >> there are also ways to customize the import mechanism [2]. Perhaps Perl >> also has a similar mechanism? > > Jar files can be told to import classes from another Jar by adding it to > the “Class-Path” field of the Jar’s manifest. Likewise, Guile 2.2 uses ELF for its .go files. It does not support RUNPATH yet, but we could add support for it I suppose. Ludo’. ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-08 7:06 ` Ricardo Wurmus 2017-05-08 14:11 ` Ludovic Courtès @ 2017-05-11 8:41 ` Chris Marusich 2017-05-11 11:27 ` Ricardo Wurmus 2017-05-12 9:35 ` Hartmut Goebel 1 sibling, 2 replies; 33+ messages in thread From: Chris Marusich @ 2017-05-11 8:41 UTC (permalink / raw) To: Ricardo Wurmus; +Cc: guix-devel [-- Attachment #1.1: Type: text/plain, Size: 3031 bytes --] Hi Ricardo, Ricardo Wurmus <rekado@elephly.net> writes: > Chris Marusich <cmmarusich@gmail.com> writes: > >> There are probably many ways to accomplish that. For example, in Java, >> perhaps we could implement a custom classloader. Or maybe we could >> patch the built-in class loading mechanism [1]. Similarly, in Python >> there are also ways to customize the import mechanism [2]. Perhaps Perl >> also has a similar mechanism? > > Jar files can be told to import classes from another Jar by adding it to > the “Class-Path” field of the Jar’s manifest. > > Here’s an example: > https://docs.oracle.com/javase/tutorial/deployment/jar/downman.html I didn't know this! That's awesome; it might be just what we need. > I don’t know if this mechanism permits the use of absolute paths, but > it’s worth a try. I should note that this doesn’t help with store > reference detection, because the manifest will be part of the compressed > Jar. But if this works we could avoid propagation for Java packages. Preliminary testing shows that this does in fact work. See the attached tarball; when you run "make" on its extracted contents, you can verify for yourself that it works (don't forget to do 'guix -i icedtea:jdk'): --8<---------------cut here---------------start------------->8--- [0] marusich@garuda:~ $ java -cp /tmp/embed-absolute-classpath-in-jar/Main.jar Main Hello world! [0] marusich@garuda:~ $ jar -tvf /tmp/embed-absolute-classpath-in-jar/Main.jar 0 Thu May 11 01:35:26 PDT 2017 META-INF/ 131 Thu May 11 01:35:26 PDT 2017 META-INF/MANIFEST.MF 309 Thu May 11 01:35:26 PDT 2017 Main.class [0] marusich@garuda:~ $ jar -tvf /tmp/embed-absolute-classpath-in-jar/Greeter.jar 0 Thu May 11 01:35:28 PDT 2017 META-INF/ 69 Thu May 11 01:35:28 PDT 2017 META-INF/MANIFEST.MF 396 Thu May 11 01:35:26 PDT 2017 Greeter.class [0] marusich@garuda:~ $ grep /tmp/embed-absolute-classpath-in-jar /tmp/embed-absolute-classpath-in-jar/* Binary file /tmp/embed-absolute-classpath-in-jar/Main.jar matches /tmp/embed-absolute-classpath-in-jar/Main.txt:Class-Path: /tmp/embed-absolute-classpath-in-jar/Greeter.jar [0] marusich@garuda:~ $ strings /tmp/embed-absolute-classpath-in-jar/Main.jar | grep /tmp/embed-absolute-classpath-in-jar Class-Path: /tmp/embed-absolute-classpath-in-jar/Greeter.jar [0] marusich@garuda:~ $ --8<---------------cut here---------------end--------------->8--- Based on this test, it looks like we can embed absolute paths in uncompressed JAR files. This is great! It means that if we can package Java libraries in this way, we won't need to propagate inputs for Java libraries (because Java will find the classes via the embedded Class-Path values), and the usual reference scanning mechanism will just work (because the JAR files are not compressed). I don't know what limits there are on the number of entries one can put into the Class-Path line, but hopefully that won't be an issue. -- Chris [-- Attachment #1.2: embed-absolute-classpath-in-jar.tar.xz --] [-- Type: application/octet-stream, Size: 1228 bytes --] [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-11 8:41 ` Chris Marusich @ 2017-05-11 11:27 ` Ricardo Wurmus 2017-05-12 6:54 ` Chris Marusich 2017-05-12 9:35 ` Hartmut Goebel 1 sibling, 1 reply; 33+ messages in thread From: Ricardo Wurmus @ 2017-05-11 11:27 UTC (permalink / raw) To: Chris Marusich; +Cc: guix-devel Chris Marusich <cmmarusich@gmail.com> writes: >> Jar files can be told to import classes from another Jar by adding it to >> the “Class-Path” field of the Jar’s manifest. >> >> Here’s an example: >> https://docs.oracle.com/javase/tutorial/deployment/jar/downman.html > > I didn't know this! That's awesome; it might be just what we need. […] Thanks for testing this! One limitation appears to be that this only works for applications, not for libraries. This could be a problem for us. We don’t really need this urgently for applications if we automatically generate shell wrappers (as we do for Python executables). It would be interesting to know if this could be used for libraries as well, so that the application in the end does not need to know about all transitive dependencies, but only its first-level dependencies. -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-11 11:27 ` Ricardo Wurmus @ 2017-05-12 6:54 ` Chris Marusich 2017-05-12 8:21 ` Ricardo Wurmus 0 siblings, 1 reply; 33+ messages in thread From: Chris Marusich @ 2017-05-12 6:54 UTC (permalink / raw) To: Ricardo Wurmus; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 2151 bytes --] Ricardo Wurmus <rekado@elephly.net> writes: > Chris Marusich <cmmarusich@gmail.com> writes: > >>> Jar files can be told to import classes from another Jar by adding it to >>> the “Class-Path” field of the Jar’s manifest. >>> >>> Here’s an example: >>> https://docs.oracle.com/javase/tutorial/deployment/jar/downman.html >> >> I didn't know this! That's awesome; it might be just what we need. > […] > > Thanks for testing this! > > One limitation appears to be that this only works for applications, not > for libraries. In what way does this not work for libraries? I'm not criticizing you; I'm genuinely curious. To ask this question another way: how would a solution that "works for libraries" behave, exactly? I'm not sure what the phrase "it works for libraries" might mean, since I suspect its meaning varies depending on what one is trying to accomplish. > This could be a problem for us. We don’t really need this urgently > for applications if we automatically generate shell wrappers (as we do > for Python executables). > I agree. > It would be interesting to know if this could be used for libraries as > well, so that the application in the end does not need to know about all > transitive dependencies, but only its first-level dependencies. I think there are at least two concrete goals here. I would phrase them as follows: 1) I can run Java applications (built with Guix). 2) I can use Java libraries (built with Guix) in an IDE to develop Java applications. We can accomplish (1) by using wrapper scripts. I suppose we could also maybe accomplish (1) by using JARs with embedded classpaths, but as long as wrapper scripts are sufficient, it isn't really necessary to do this. As for (2), I think it's probably trickier, since the exact way in which an IDE might want to be informed about the dependencies of a project may vary. I'm still not sure how I would develop Java applications using Java libraries built with Guix, without putting in a lot of manual effort to tell my IDE where the dependencies live. Surely there is a way... -- Chris [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-12 6:54 ` Chris Marusich @ 2017-05-12 8:21 ` Ricardo Wurmus 0 siblings, 0 replies; 33+ messages in thread From: Ricardo Wurmus @ 2017-05-12 8:21 UTC (permalink / raw) To: Chris Marusich; +Cc: guix-devel Chris Marusich <cmmarusich@gmail.com> writes: > Ricardo Wurmus <rekado@elephly.net> writes: > >> Chris Marusich <cmmarusich@gmail.com> writes: >> >>>> Jar files can be told to import classes from another Jar by adding it to >>>> the “Class-Path” field of the Jar’s manifest. >>>> >>>> Here’s an example: >>>> https://docs.oracle.com/javase/tutorial/deployment/jar/downman.html >>> >>> I didn't know this! That's awesome; it might be just what we need. >> […] >> >> Thanks for testing this! >> >> One limitation appears to be that this only works for applications, not >> for libraries. > > In what way does this not work for libraries? I'm not criticizing you; > I'm genuinely curious. To ask this question another way: how would a > solution that "works for libraries" behave, exactly? I'm not sure what > the phrase "it works for libraries" might mean, since I suspect its > meaning varies depending on what one is trying to accomplish. What I mean is that it may not be transitive. Let’s say “java-foo” depends on “java-hamcrest-core”, so we record the absolute path to the hamcrest core jar in the Class-Path field of the manifest. Now let’s also say that the application “java-bar” depends on “java-foo”, but not directly on “java-hamcrest-core”. Now what I wonder about is whether we would need to record the paths to the jars of both “java-foo” *and* “java-hamcrest-core” in the Class-Path field of the manifest for “java-bar”, or if it would be sufficient to record “java-foo". Would Java respect the Class-Path for all dependencies recursively within their scope? Is this ‘lexically scoped’ (i.e. the specified class path will apply only for the jar on whose manifest it was specified) or will Java traverse all Class-Path fields and create one concatenated big class path that is used to resolve all classes? In the latter case there could be conflicts when one node in the graph demands *one* version of a jar and some other node demands the classes from a *different* jar to be used. Maybe none of this is implemented and all Class-Path does is tell the current *application* where to get its dependencies; in that case the Class-Path field would just be an alternative to using a shell wrapper that sets the CLASSPATH environment variable. Does this make it a little clearer? -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-11 8:41 ` Chris Marusich 2017-05-11 11:27 ` Ricardo Wurmus @ 2017-05-12 9:35 ` Hartmut Goebel 2017-05-12 18:22 ` Mark H Weaver 1 sibling, 1 reply; 33+ messages in thread From: Hartmut Goebel @ 2017-05-12 9:35 UTC (permalink / raw) To: Chris Marusich, Ricardo Wurmus; +Cc: guix-devel Am 11.05.2017 um 10:41 schrieb Chris Marusich: > Based on this test, it looks like we can embed absolute paths in > uncompressed JAR files. Only the MANIFEST within the JAR file needs to be uncompressed, the remaining files can be compressed. JARs are zip files, which include data compressed individually, thus the above could be achieved. -- Regards Hartmut Goebel | Hartmut Goebel | h.goebel@crazy-compilers.com | | www.crazy-compilers.com | compilers which you thought are impossible | ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-12 9:35 ` Hartmut Goebel @ 2017-05-12 18:22 ` Mark H Weaver 2017-05-12 20:05 ` Hartmut Goebel 0 siblings, 1 reply; 33+ messages in thread From: Mark H Weaver @ 2017-05-12 18:22 UTC (permalink / raw) To: Hartmut Goebel; +Cc: guix-devel Hartmut Goebel <h.goebel@crazy-compilers.com> writes: > Am 11.05.2017 um 10:41 schrieb Chris Marusich: >> Based on this test, it looks like we can embed absolute paths in >> uncompressed JAR files. > > Only the MANIFEST within the JAR file needs to be uncompressed, the > remaining files can be compressed. > > JARs are zip files, which include data compressed individually, thus the > above could be achieved. If we leave the remaining files compressed, what will this mean for grafting? Might the compressed portions contain store references that will fail to be grafted? Mark ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-12 18:22 ` Mark H Weaver @ 2017-05-12 20:05 ` Hartmut Goebel 2017-05-12 21:24 ` Mark H Weaver 0 siblings, 1 reply; 33+ messages in thread From: Hartmut Goebel @ 2017-05-12 20:05 UTC (permalink / raw) To: Mark H Weaver; +Cc: guix-devel Am 12.05.2017 um 20:22 schrieb Mark H Weaver: > Might the compressed portions contain store references that > will fail to be grafted? Class files per se do not contain references to any JAR file AFAIK. For all other files (resources, etc.) its the same as for other programming languages -- Regards Hartmut Goebel | Hartmut Goebel | h.goebel@crazy-compilers.com | | www.crazy-compilers.com | compilers which you thought are impossible | ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-12 20:05 ` Hartmut Goebel @ 2017-05-12 21:24 ` Mark H Weaver 0 siblings, 0 replies; 33+ messages in thread From: Mark H Weaver @ 2017-05-12 21:24 UTC (permalink / raw) To: Hartmut Goebel; +Cc: guix-devel Hartmut Goebel <h.goebel@crazy-compilers.com> writes: > Am 12.05.2017 um 20:22 schrieb Mark H Weaver: >> Might the compressed portions contain store references that >> will fail to be grafted? > > Class files per se do not contain references to any JAR file AFAIK. For > all other files (resources, etc.) its the same as for other programming > languages Is it possible that class files might contain string literals whose values are determined at compile time? I don't know how things are done in the Java world, but in C and C++ and I guess many other languages, it is common for store references to become embedded in the source code before compilation. Mark ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-07 12:48 ` Hartmut Goebel 2017-05-07 20:23 ` Chris Marusich @ 2017-05-12 6:18 ` Mark H Weaver 2017-05-12 8:19 ` Chris Marusich 1 sibling, 1 reply; 33+ messages in thread From: Mark H Weaver @ 2017-05-12 6:18 UTC (permalink / raw) To: Hartmut Goebel; +Cc: guix-devel Hartmut Goebel <h.goebel@crazy-compilers.com> writes: > Am 02.05.2017 um 14:43 schrieb Ludovic Courtès: >> Hartmut Goebel <h.goebel@crazy-compilers.com> skribis: >> >>> Am 27.04.2017 um 15:46 schrieb Ludovic Courtès: >>>> ‘propagated-inputs’ is one way to manually specify run-time references. >>>> It works at the package level and not at the store level—that is, the >>>> store item’s references are unaffected by what ‘propagated-inputs’ >>>> contains. It’s usually enough for our purposes though. >>> I'm not sure if 'propagated-inputs' are enough. For example >>> "python-passlib" as propagated-input python-py-bcrypt, but the later >>> does not show up as reference, requisite nor referrer: >> Right, that’s what I meant by “not at the store level” above. >> >> Ludo’. > So I propose to add a small text file ".guix-dependencies' to all > language's packages which do not add some kind of references themselves: > Python, Perl, Java, etc. I have thought of doing this in the past, but there's another more difficult problem that would also need to be solved: how to make grafting work for these non-plaintext references. If grafting doesn't work, there's a good chance that software with known security flaws will continue to be executed. Mark ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-12 6:18 ` Mark H Weaver @ 2017-05-12 8:19 ` Chris Marusich 2017-05-12 9:46 ` store reference detection Hartmut Goebel 2017-05-12 17:39 ` store reference detection (was Re: JARs and reference scanning) Mark H Weaver 0 siblings, 2 replies; 33+ messages in thread From: Chris Marusich @ 2017-05-12 8:19 UTC (permalink / raw) To: Mark H Weaver; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 1986 bytes --] Mark H Weaver <mhw@netris.org> writes: > Hartmut Goebel <h.goebel@crazy-compilers.com> writes: > >> Am 02.05.2017 um 14:43 schrieb Ludovic Courtès: >>> Hartmut Goebel <h.goebel@crazy-compilers.com> skribis: >>> >>>> Am 27.04.2017 um 15:46 schrieb Ludovic Courtès: >>>>> ‘propagated-inputs’ is one way to manually specify run-time references. >>>>> It works at the package level and not at the store level—that is, the >>>>> store item’s references are unaffected by what ‘propagated-inputs’ >>>>> contains. It’s usually enough for our purposes though. >>>> I'm not sure if 'propagated-inputs' are enough. For example >>>> "python-passlib" as propagated-input python-py-bcrypt, but the later >>>> does not show up as reference, requisite nor referrer: >>> Right, that’s what I meant by “not at the store level” above. >>> >>> Ludo’. >> So I propose to add a small text file ".guix-dependencies' to all >> language's packages which do not add some kind of references themselves: >> Python, Perl, Java, etc. > > I have thought of doing this in the past, but there's another more > difficult problem that would also need to be solved: how to make > grafting work for these non-plaintext references. If grafting doesn't > work, there's a good chance that software with known security flaws will > continue to be executed. That's a good thing to keep in mind. I think that the references we're talking about putting into a ".guix-dependencies" file or into an uncompressed JAR file are in fact "plaintext" in the sense that these files are not using compression, encryption, esoteric encodings, or other obfuscations which might defeat the reference scanning or grafting mechanisms. I'm not convinced we need these things (a list of dependencies in ".guix-dependencies" or embedded classpaths in JAR files), but if we used them, I don't think it would interfere with reference scanning or grafting. Would it? -- Chris [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection 2017-05-12 8:19 ` Chris Marusich @ 2017-05-12 9:46 ` Hartmut Goebel 2017-05-12 17:39 ` store reference detection (was Re: JARs and reference scanning) Mark H Weaver 1 sibling, 0 replies; 33+ messages in thread From: Hartmut Goebel @ 2017-05-12 9:46 UTC (permalink / raw) To: Chris Marusich, Mark H Weaver; +Cc: guix-devel [-- Attachment #1.1: Type: text/plain, Size: 606 bytes --] Am 12.05.2017 um 10:19 schrieb Chris Marusich: > I'm not convinced we need these things (a list of > dependencies in ".guix-dependencies" or embedded classpaths in JAR > files), I'm convinced that we need such a beast, since references are not kept at all for quite some kind of packages. See <http://lists.gnu.org/archive/html/guix-devel/2017-04/msg00639.html> for an example with *not* working references. -- Regards Hartmut Goebel | Hartmut Goebel | h.goebel@crazy-compilers.com | | www.crazy-compilers.com | compilers which you thought are impossible | [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 801 bytes --] ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-12 8:19 ` Chris Marusich 2017-05-12 9:46 ` store reference detection Hartmut Goebel @ 2017-05-12 17:39 ` Mark H Weaver 2017-05-12 18:27 ` Leo Famulari 2017-05-12 19:54 ` Hartmut Goebel 1 sibling, 2 replies; 33+ messages in thread From: Mark H Weaver @ 2017-05-12 17:39 UTC (permalink / raw) To: Chris Marusich; +Cc: guix-devel Chris Marusich <cmmarusich@gmail.com> writes: > Mark H Weaver <mhw@netris.org> writes: > >> Hartmut Goebel <h.goebel@crazy-compilers.com> writes: >> >>> Am 02.05.2017 um 14:43 schrieb Ludovic Courtès: >>>> Hartmut Goebel <h.goebel@crazy-compilers.com> skribis: >>>> >>>>> Am 27.04.2017 um 15:46 schrieb Ludovic Courtès: >>>>>> ‘propagated-inputs’ is one way to manually specify run-time references. >>>>>> It works at the package level and not at the store level—that is, the >>>>>> store item’s references are unaffected by what ‘propagated-inputs’ >>>>>> contains. It’s usually enough for our purposes though. >>>>> I'm not sure if 'propagated-inputs' are enough. For example >>>>> "python-passlib" as propagated-input python-py-bcrypt, but the later >>>>> does not show up as reference, requisite nor referrer: >>>> Right, that’s what I meant by “not at the store level” above. >>>> >>>> Ludo’. >>> So I propose to add a small text file ".guix-dependencies' to all >>> language's packages which do not add some kind of references themselves: >>> Python, Perl, Java, etc. >> >> I have thought of doing this in the past, but there's another more >> difficult problem that would also need to be solved: how to make >> grafting work for these non-plaintext references. If grafting doesn't >> work, there's a good chance that software with known security flaws will >> continue to be executed. > > That's a good thing to keep in mind. I think that the references we're > talking about putting into a ".guix-dependencies" file or into an > uncompressed JAR file are in fact "plaintext" in the sense that these > files are not using compression, encryption, esoteric encodings, or > other obfuscations which might defeat the reference scanning or grafting > mechanisms. I'm not convinced we need these things (a list of > dependencies in ".guix-dependencies" or embedded classpaths in JAR > files), but if we used them, I don't think it would interfere with > reference scanning or grafting. Would it? It would not interfere, but it could have the effect of *hiding* security problems due to a failure to graft properly. If there are embedded references that Guix cannot see and therefore are not transformed by grafting, we are most likely to become aware of this problem when the referenced store item is reclaimed by the garbage collector, thus breaking things and prompting us to investigate. This is in fact exactly how I discovered another problem of this kind: https://bugs.gnu.org/24703 If we create a redundant set of references in another file, then problems like this could go undetected for a long time. Adding more 'propagating-inputs' would have the same problem, and cause other problems as well. One thing we could do is add a phase to certain build systems, which would try to use additional methods to detect these hidden references, and deliberately cause the build to fail in that case, raising the alarm that grafting would silently fail. What do you think? Mark ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-12 17:39 ` store reference detection (was Re: JARs and reference scanning) Mark H Weaver @ 2017-05-12 18:27 ` Leo Famulari 2017-05-12 19:54 ` Hartmut Goebel 1 sibling, 0 replies; 33+ messages in thread From: Leo Famulari @ 2017-05-12 18:27 UTC (permalink / raw) To: Mark H Weaver; +Cc: guix-devel On Fri, May 12, 2017 at 01:39:18PM -0400, Mark H Weaver wrote: > One thing we could do is add a phase to certain build systems, which > would try to use additional methods to detect these hidden references, > and deliberately cause the build to fail in that case, raising the alarm > that grafting would silently fail. It's a good idea, and worth doing. I do think we will always find new types of obfuscated references, unfortunately, but we should try to address the types we know about. ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-12 17:39 ` store reference detection (was Re: JARs and reference scanning) Mark H Weaver 2017-05-12 18:27 ` Leo Famulari @ 2017-05-12 19:54 ` Hartmut Goebel 2017-05-12 21:51 ` Mark H Weaver 1 sibling, 1 reply; 33+ messages in thread From: Hartmut Goebel @ 2017-05-12 19:54 UTC (permalink / raw) To: Mark H Weaver, Chris Marusich; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 745 bytes --] Am 12.05.2017 um 19:39 schrieb Mark H Weaver: > It would not interfere, but it could have the effect of *hiding* > security problems due to a failure to graft properly. > [...] > If we create a redundant set of references in another file, then > problems like this could go undetected for a long time. Reading you comments (and words like "hidden"), I assume you are referring to some compressed or otherwise unreadable data. Please don't confuse this: We are *not* talking about compressed files, but about plain text (or stored uncomressed within e.g. a zip-file). -- Regards Hartmut Goebel | Hartmut Goebel | h.goebel@crazy-compilers.com | | www.crazy-compilers.com | compilers which you thought are impossible | [-- Attachment #2: Type: text/html, Size: 1410 bytes --] ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-12 19:54 ` Hartmut Goebel @ 2017-05-12 21:51 ` Mark H Weaver 2017-05-13 7:15 ` Hartmut Goebel 0 siblings, 1 reply; 33+ messages in thread From: Mark H Weaver @ 2017-05-12 21:51 UTC (permalink / raw) To: Hartmut Goebel; +Cc: guix-devel Hartmut Goebel <h.goebel@crazy-compilers.com> writes: > Am 12.05.2017 um 19:39 schrieb Mark H Weaver: > > It would not interfere, but it could have the effect of *hiding* > security problems due to a failure to graft properly. > [...] > If we create a redundant set of references in another file, then > problems like this could go undetected for a long time. > > Reading you comments (and words like "hidden"), I assume you are > referring to some compressed or otherwise unreadable data. > > Please don't confuse this: We are *not* talking about compressed > files, but about plain text (or stored uncomressed within e.g. a > zip-file). Apologies if I've misunderstood. Earlier, you wrote: > So I propose to add a small text file ".guix-dependencies' to all > language's packages which do not add some kind of references > themselves: Python, Perl, Java, etc. What's the motivation for this proposal, if not to allow the scanner to see references that would otherwise be obfuscated? Mark ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-12 21:51 ` Mark H Weaver @ 2017-05-13 7:15 ` Hartmut Goebel 2017-05-23 7:29 ` Chris Marusich 0 siblings, 1 reply; 33+ messages in thread From: Hartmut Goebel @ 2017-05-13 7:15 UTC (permalink / raw) To: Mark H Weaver; +Cc: guix-devel Am 12.05.2017 um 23:51 schrieb Mark H Weaver: > What's the motivation for this proposal, if not to allow the scanner to > see references that would otherwise be obfuscated? The motivation is to have references at all. See <http://lists.gnu.org/archive/html/guix-devel/2017-04/msg00639.html> for an example of a package having propagated inputs which are not recognized as references by the gc. -- Regards Hartmut Goebel | Hartmut Goebel | h.goebel@crazy-compilers.com | | www.crazy-compilers.com | compilers which you thought are impossible | ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: store reference detection (was Re: JARs and reference scanning) 2017-05-13 7:15 ` Hartmut Goebel @ 2017-05-23 7:29 ` Chris Marusich 0 siblings, 0 replies; 33+ messages in thread From: Chris Marusich @ 2017-05-23 7:29 UTC (permalink / raw) To: Hartmut Goebel; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 1880 bytes --] Hartmut Goebel <h.goebel@crazy-compilers.com> writes: > Am 12.05.2017 um 23:51 schrieb Mark H Weaver: >> What's the motivation for this proposal, if not to allow the scanner to >> see references that would otherwise be obfuscated? > The motivation is to have references at all. See > <http://lists.gnu.org/archive/html/guix-devel/2017-04/msg00639.html> for > an example of a package having propagated inputs which are not > recognized as references by the gc. Hartmut, the question of whether or not a "package" (actually, the store paths created by building the package) is eligible for garbage collection has little to do with whether or not the package is a propagated input. With that in mind, the example you provided does not seem to be a problem. If a package A happens to be a propagated input of another package B, and if package B happens to be installed in some profile (e.g., via 'guix package -i B'), then package A is also installed in the same profile. Therefore, package A is not eligible for garbage collection (i.e., it is "live") because every profile is a GC root. However, if one has just built package B with 'guix build B' without installing it into any profile, then package A hasn't been installed, either. In this case, package A is eligible for garbage collection because no GC root refers to it directly or transitively [1]. To summarize: When package A is a propagated input of package B, it is possible for package A to be live, and it is possible for package A not to be live. By itself, the fact that package A is a propagated input tells us nothing about whether or not package A should be eligible for garbage collection. And it is not the case that package A should be live simply because package B has been built. [1] This assumes, of course, that package A wasn't live to begin with. -- Chris [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: Need help from Java-developers 2017-04-23 8:41 ` Chris Marusich 2017-04-23 22:57 ` Chris Marusich @ 2017-04-25 8:44 ` Ricardo Wurmus 1 sibling, 0 replies; 33+ messages in thread From: Ricardo Wurmus @ 2017-04-25 8:44 UTC (permalink / raw) To: Chris Marusich; +Cc: guix-devel Chris Marusich <cmmarusich@gmail.com> writes: >> o How to make the maven-build-system to never ever include other >> jar? Perhaps we need to post-process the generated jars. > > Speaking of JAR files, shouldn't we try to avoid them entirely? My > understanding is that they are compressed files, which means the Guix > daemon won't be able to scan them for references. I don't know if it's > easy to use Maven to build a project without putting the build output > into a JAR file, though. We are already using Jar files. They are generated by the ant-build-system. I don’t think there’s any way around using them, because that’s the format everybody uses. You just add a jar to the CLASSPATH to let java find it. The format is like Zip, but with an additional manifest. -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net ^ permalink raw reply [flat|nested] 33+ messages in thread
end of thread, other threads:[~2017-05-23 7:29 UTC | newest] Thread overview: 33+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-04-13 11:29 Need help from Java-developers Hartmut Goebel 2017-04-23 8:41 ` Chris Marusich 2017-04-23 22:57 ` Chris Marusich 2017-04-25 19:28 ` JARs and reference scanning (was: Need help from Java-developers) Hartmut Goebel 2017-04-26 5:34 ` JARs and reference scanning Chris Marusich 2017-04-26 11:53 ` store reference detection (was Re: JARs and reference scanning) Thomas Danckaert 2017-04-26 19:31 ` Maxim Cournoyer 2017-04-27 13:46 ` Ludovic Courtès 2017-04-27 14:14 ` store reference detection Thomas Danckaert 2017-04-27 17:46 ` store reference detection (was Re: JARs and reference scanning) Hartmut Goebel 2017-05-02 12:43 ` Ludovic Courtès 2017-05-07 12:48 ` Hartmut Goebel 2017-05-07 20:23 ` Chris Marusich 2017-05-08 7:06 ` Ricardo Wurmus 2017-05-08 14:11 ` Ludovic Courtès 2017-05-11 8:41 ` Chris Marusich 2017-05-11 11:27 ` Ricardo Wurmus 2017-05-12 6:54 ` Chris Marusich 2017-05-12 8:21 ` Ricardo Wurmus 2017-05-12 9:35 ` Hartmut Goebel 2017-05-12 18:22 ` Mark H Weaver 2017-05-12 20:05 ` Hartmut Goebel 2017-05-12 21:24 ` Mark H Weaver 2017-05-12 6:18 ` Mark H Weaver 2017-05-12 8:19 ` Chris Marusich 2017-05-12 9:46 ` store reference detection Hartmut Goebel 2017-05-12 17:39 ` store reference detection (was Re: JARs and reference scanning) Mark H Weaver 2017-05-12 18:27 ` Leo Famulari 2017-05-12 19:54 ` Hartmut Goebel 2017-05-12 21:51 ` Mark H Weaver 2017-05-13 7:15 ` Hartmut Goebel 2017-05-23 7:29 ` Chris Marusich 2017-04-25 8:44 ` Need help from Java-developers Ricardo Wurmus
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.