bug-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#22990: Grafts leads to inefficient substitute info retrieval

From: Mark H Weaver
Subject: bug#22990: Grafts leads to inefficient substitute info retrieval
Date: Tue, 15 Mar 2016 14:49:55 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.92 (gnu/linux) 
address@hidden (Ludovic Courtès) writes:

> Alex Kost <address@hidden> skribis:
>
>> Ludovic Courtès (2016-03-11 19:52 +0300) wrote:
>>
>>> As of right now (v0.9.0-2007-g66a30a3), ‘graft-derivation’ works either by:
>>>
>>>   1. Fetching substitute info about the things being built so that it
>>>      can determine its references, which in turns allows it to determine
>>>      whether they need to be grafted.
>>>
>>>   2. Building stuff, as a last resort, so that it can determine its
>>>      references.
>>
>> I noticed that #1 is happening even with --no-substitutes option.  Is it
>> intended?
>
> Not really, but I see this is because ‘substitutable-path-info’ (called
> from ‘references/substitutes’, called from ‘graft-derivation’) works
> regardless of whether substitutes are enabled:
>
> scheme@(guile-user)> ,use(guix)
> scheme@(guile-user)> (define s (open-connection))
> scheme@(guile-user)> (set-build-options s #:use-substitutes? #f)
> $2 = #t
> scheme@(guile-user)> (valid-path? s 
> "/gnu/store/qf2lm7jpiiyygxz8zq0r1ca1fazv6smn-mutt-1.5.24")
> $3 = #f
> scheme@(guile-user)> (substitutable-path-info s 
> '("/gnu/store/qf2lm7jpiiyygxz8zq0r1ca1fazv6smn-mutt-1.5.24"))
> $4 = (#<<substitutable> path: 
> "/gnu/store/qf2lm7jpiiyygxz8zq0r1ca1fazv6smn-mutt-1.5.24" deriver: 
> "/gnu/store/jcl9c3w463xa2g963q5a60rrd97y1g28-mutt-1.5.24.drv" refs: 
> ("/gnu/store/3gmzl5jpk700hqyr8p3kfg0vgcnw8d97-libassuan-2.4.2" 
> "/gnu/store/b02lmk67jq1vcflk2m2bwzc8gmwmndqp-ncurses-6.0" 
> "/gnu/store/d3xdc2w87yw3raafwb9q34gxx4xqci8k-cyrus-sasl-2.1.26" 
> "/gnu/store/pkasxagsa4z4viscfpl6sjszmdmwncl1-gcc-4.9.3-lib" 
> "/gnu/store/qf2lm7jpiiyygxz8zq0r1ca1fazv6smn-mutt-1.5.24" 
> "/gnu/store/qvx4q6lbwi4s3cwr8wqaa7kcva0a5c4b-openssl-1.0.2f" 
> "/gnu/store/sb40mddkia0brc814xkbnhxccfm32q3a-gpgme-1.6.0" 
> "/gnu/store/sgzfawy95pfn7nsw3xvmca58llm5zzbc-glibc-2.22" 
> "/gnu/store/x2p2biyybcb2wac77qz9468asc5fm48i-perl-5.22.1" 
> "/gnu/store/x8dmdlrn5qn0wrbcnngj55y3ab73h0pp-bash-4.3.42" 
> "/gnu/store/zpxg45dq67psrn4wmfk4l635h0si8q63-libgpg-error-1.21") dl-size: 0 
> nar-size: 6661016>)

Is the information from the substitute server authenticated by checking
hydra's signature against the list of keys in /etc/guix/acls?

The reason I ask is that if the set of runtime dependencies received is
incomplete, it could lead to incorrect grafting, namely that references
to compromised libraries could be retained.

> However, substitutes are not downloaded, so in this regard
> --no-substitutes is honored.

It depends on the intent of --no-substitutes.  If the intent is to avoid
trusting the substitute server, then by relying on the accuracy of the
runtime dependency data from Hydra, we are failing to honor that intent.

That said, I think it's okay to document that --no-substitutes alone is
not sufficient to avoid trusting a substitute server, and that the
proper way to accomplish that is to make sure its key is not in
/etc/guix/acls.

What do you think?

    Thanks,
      Mark
reply via email to
[Prev in Thread] Current Thread [Next in Thread]