From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id AB8lNIhD/GTtdgAAG6o9tA:P1 (envelope-from ) for ; Sat, 09 Sep 2023 12:06:01 +0200 Received: from aspmx1.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id AB8lNIhD/GTtdgAAG6o9tA (envelope-from ) for ; Sat, 09 Sep 2023 12:06:00 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6CBDB31A11 for ; Sat, 9 Sep 2023 12:06:00 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=laesvuori.fi header.s=mail header.b=DAEr5v0n; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=reject) header.from=laesvuori.fi ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1694253960; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=OWYKkfJtx4aivqiuioufonn+b3kjxSYJs0Uj7QD+0Pg=; b=BLeMUnm4QO5ncMrVf5S/2m9LfzTB6q2jRXO0Io7NOsJr2Vs3huvGeHX9AYaw9pIyvBxp8I 0MnyPHU2rNKYHfYz67PPDflhPNtpJcyU4wab4SQZE8F/Wy5YfXl17hyBfal/l6OpQtAw1i YtFHJKPa+tL7gzjLzQf1onLfW0flr4KL1986VxTsdR0RYqh2gX6TkSO/SUZGfJ0YD1DD1U t1thU9oQAw6o58xJoku5RAMij+fS4E19A5wJ2scwpDN7N1Ti+kRHoAXrantH+G39GaVF9g I6xftJkfSV34aMm8YbYJ8af5/TNtScbz2DDsO/MIdHEvyViTK7yHseOadCsCtA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1694253960; a=rsa-sha256; cv=none; b=Am74EqTXkrtvuxQP9N8v06q5uBezS9bfsdgWlpogpyeSBcXq+PSwTPgeHe93k03afpguHX qzpN3QhAs71fKawemVCz3eZS8eVDnKd/GQj2ehss4gcUrLRMam8p0S8xVXk5Fep7PsJjfc fR74igLC6EHLhi0KxwSMGZ+Z2yp+axCnulyqoEkFTyjcjexAkD+oLntWm82xYLtR2ZOnzp T4K46NySf7W1qfwhB1wVFum/+YW2lbbBnsJUNrMIn6MAH7UNd8dskXF/ITYFjIaCbi4YWW G/BBQCiulZILTay0aCaSi5tW/uFj81pHus+OqI/TcWvwkyQ63vAunHpTn13PJA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=laesvuori.fi header.s=mail header.b=DAEr5v0n; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=reject) header.from=laesvuori.fi Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qeuqO-0006FL-TN; Sat, 09 Sep 2023 06:05:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qeuqM-0006CW-1e for help-guix@gnu.org; Sat, 09 Sep 2023 06:05:34 -0400 Received: from vmi571514.contaboserver.net ([75.119.130.101] helo=mail.laesvuori.fi) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qeuqJ-00084G-7U for help-guix@gnu.org; Sat, 09 Sep 2023 06:05:33 -0400 Received: from X-kone (185-185-168-253.localnetip.fi [185.185.168.253]) by mail.laesvuori.fi (Postfix) with ESMTPSA id B2E4A340121; Sat, 9 Sep 2023 12:05:51 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=laesvuori.fi; s=mail; t=1694253952; bh=frQ/0HBpKG43j0m4viykotxY5/ZOEBH1h+LMsCVCVuw=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=DAEr5v0nPAiIQ9zGGlebJzD/GULesMw1x8BiZ2Fe0H/Kwud3XTefKOYLw54w2hYzA XIEU7qBys4ivskpgT7HkqhWSu9uLMJ8hlKJvtfkxqMakHpRIQhINFjlau0DA+A2Bdr eOyytFUrhiXO9EvtkgzKpS3RdSt8ZbjTbfoRTo7E= Date: Sat, 9 Sep 2023 13:05:22 +0300 From: Saku Laesvuori To: Lars-Dominik Braun Cc: Simon Tournier , help-guix@gnu.org Subject: Re: GHC packages' inputs leak in guix shell Message-ID: References: <20230815065150.5joaxyts646mnpex@X-kone> <86r0nsztxu.fsf@gmail.com> <20230824161653.vha6sk7ot34nixpe@X-kone> <874jkjqtsx.fsf@gmail.com> <20230829203050.wxtdnalegrwrphrb@X-kone> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="reimaxv2oknofzhq" Content-Disposition: inline In-Reply-To: <20230829203050.wxtdnalegrwrphrb@X-kone> Received-SPF: pass client-ip=75.119.130.101; envelope-from=saku@laesvuori.fi; helo=mail.laesvuori.fi X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: help-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Scanner: mx2.migadu.com X-Spam-Score: -11.38 X-Migadu-Queue-Id: 6CBDB31A11 X-Migadu-Spam-Score: -11.38 X-TUID: 3LMU7dHuCH6M --reimaxv2oknofzhq Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > > I can=E2=80=99t check right now, but I=E2=80=99m guessing a plain `caba= l install` > > would also add base64-bytestring to GHC=E2=80=99s visible packages? >=20 > I tested with cabal-install and it somehow manages to hide the haskell > packages that are installed as dependencies. Apparently cabal uses ghc environments[1], which are files that define a list of flags for ghc, to hide all packages except the explicitly installed ones. Guix could probably also create a file like that for every profile that contains ghc and/or packages for it. Another way would be adding a phase to hide all the haskell packages in the package-db ($out/lib/ghc-9.2.5/ghc-esqueleto-3.5.8.1.conf.d) except for the package itself. Creating environment files could maybe cause problems when combining profiles, so I think hiding dependency packages in a build phase would be a better solution. I tried this with ghc-esqueleto and it seems to work (though I'm sure the code isn't particularly clean and it certainly is slower than I would like). [1]: https://ghc.gitlab.haskell.org/ghc/doc/users_guide/packages.html#packa= ge-environments ``` (define-public ghc-esqueleto (package (name "ghc-esqueleto") (version "3.5.8.1") (source (origin (method url-fetch) (uri (hackage-uri "esqueleto" version)) (sha256 (base32 "0k7h2hbxv14x0kq9w2wi83h0swzlri99ic9rj76540l39yqwjc5v")))) (build-system haskell-build-system) (properties '((upstream-name . "esqueleto"))) (inputs (list ghc-aeson ghc-attoparsec ghc-blaze-html ghc-conduit ghc-monad-logger ghc-persistent ghc-resourcet ghc-tagged ghc-unliftio ghc-unordered-containers openssl zlib)) (native-inputs (list ghc-hspec ghc-hspec-core ghc-mysql ghc-mysql-simple ghc-persistent-mysql ghc-persistent-postgresql ghc-persistent-sqlite ghc-postgresql-simple ghc-quickcheck)) (arguments (list #:tests? #f ; Needs a running MySQLd. #:phases #~(modify-phases %standard-phases (add-after 'register 'hide-dependencies (begin (use-modules (srfi srfi-1) (ice-9 popen) (ice-9 rdelim)) (lambda* (#:key name inputs #:allow-other-keys) (let* ((out #$output) (lib (string-append out "/lib")) (haskell (assoc-ref inputs "haskell")) (name-version (strip-store-file-name haskel= l)) (version (last (string-split name-version #= \-))) (conf-dir (string-append lib "/ghc-" versio= n "/" name ".conf.d")) (port (open-input-pipe (string-append "ghc-pkg list --simpl= e-output " "--package-db=3D" con= f-dir))) (pkgs (string-split (read-line port) #\spac= e)) (ghc-pkg (lambda (args) (apply invoke "ghc-pkg" (string-append "--package= -db=3D" conf-dir) args)))) (for-each (lambda (pkg) (ghc-pkg (list "hide" pkg))) pkgs) (ghc-pkg (list "expose" (string-drop name 4)))))= ))))) ; drop "ghc-" (home-page "https://github.com/bitemyapp/esqueleto") (synopsis "Type-safe embedded domain specific language for SQL queries") (description "This library provides a type-safe embedded domain specific language (EDSL) for SQL queries that works with SQL backends as provided by @code{ghc-persistent}. Its language closely resembles SQL, so you don't ha= ve to learn new concepts, just new syntax, and it's fairly easy to predict the generated SQL and optimize it for your backend.") (license license:bsd-3))) ``` --reimaxv2oknofzhq Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEoMkZR3NPB29fCOn/JX0oSiodOjIFAmT8Q2IACgkQJX0oSiod OjIL0A/+IXVMN+sDow34EfujsiWQdC6Cnx/7+HzJgOBIWdihGbY1QAWHsAxhvTtn 6cY+WvMC+AoYkslxJR9YEwqLSO1iEuaQWQi9sp7K/Q55sNdmk4YwPHkaFxpZExL/ JwzesRjpR1a6uQGGXptnxXroEQXjG2+TTjHWb1AHlCgpOV5w3Jp34z2AuYJYtz0o Ma/J24KMKnOoQx+w7m8fDppDlZbIFtJEsnjTITkzwkV40hId+FZyOFtDPUxqRXZM 6Xl22ANopfYgAtBOFQdqpmZ0C88K5/rfwumKLlXa+/CkV8fymikiLTHqv2bDbTpk +7FYZ9dCFyQULB04C4uRnt8LAa5/SJK8SCsUOaAYA6xhOoj2XoakI+TGDeOlhHo7 96Wp4AeBGGIT9eo9srqGBV0PC8LrvtkdeLEawtJZ4E/COd6FYeE9qn4dKKRUVME9 ZBN5JTaevqGfogJNj1RUN6zGVT24FBgKnk8BR2obHdH9HJG2R065lil/9NkAP0j/ rp5s8WFHamsEy95SPhbc9434cCGphphI5ETtZc+zOZ+5KFrlmrXG0VBdysZH/IvD jWpCg+2YUwoJoCQS5aDahOEyH8SLek7AejfoIU8brE3AEOJBIrT+8tl9ieHMGNwN Gp+uDY5iaEI6/9a3XjRJ/SzTHcW5/pX8hyZSkQ+tqtvLI/63aQ8= =NQ3W -----END PGP SIGNATURE----- --reimaxv2oknofzhq--