--- Begin Message ---
|
Subject: |
More problems with --no-substitutes |
|
Date: |
Thu, 27 Mar 2014 12:12:30 -0400 |
This just happened to me on core-updates, on my YeeLoong:
--8<---------------cut here---------------start------------->8---
mhw:~/guix-core-updates$ ./pre-inst-env guix build -S expect lua zip pth bazaar
ocaml
substitute-binary: Backtrace:
substitute-binary: In ice-9/boot-9.scm:
substitute-binary: 157: 0 [catch #t #<catch-closure 107fb4f0> ...]
substitute-binary:
substitute-binary: ice-9/boot-9.scm:157:17: In procedure catch:
substitute-binary: ice-9/boot-9.scm:157:17: In procedure system-async-mark:
thread has already exited
C-c C-c
--8<---------------cut here---------------end--------------->8---
No doubt, the "system-async-mark: thread has already exited" is a
problem, but that's not what bothers me.
What disturbs me the most is that 'substitute-binary' is being called at
all. I'm 100% certain that I passed '--no-substitutes' to guix-daemon.
I use a script to start guix-daemon with the options I prefer, to avoid
mistakes. I also just checked with 'ps', and indeed '--no-substitutes'
is there on the command line.
It's very important to me to trust that guix-daemon will not accept
binaries from the internet, even if there's a man-in-the-middle that
pretends to be hydra.gnu.org with mips64el binaries for me.
I'm surprised and concerned that we seem to be having so much trouble
making '--no-substitutes' work reliably. How hard can it be?
Until we get this straightened out, what's the most reliable way for me
to hack the code to ensure that substitutes cannot work, ever?
Mark
--- End Message ---
--- Begin Message ---
|
Subject: |
Re: bug#17122: More problems with --no-substitutes |
|
Date: |
Mon, 31 Mar 2014 18:59:22 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) |
address@hidden (Ludovic Courtès) writes:
> Mark H Weaver <address@hidden> skribis:
>
>> What disturbs me the most is that 'substitute-binary' is being called at
>> all. I'm 100% certain that I passed '--no-substitutes' to guix-daemon.
>> I use a script to start guix-daemon with the options I prefer, to avoid
>> mistakes. I also just checked with 'ps', and indeed '--no-substitutes'
>> is there on the command line.
>
> Can you check with current master? (See in particular commits 968e84a
> and c9e2b0b.) Does tests/guix-daemon.sh pass?
Yes, it does.
I also hacked 'guix-substitute-binary' to unconditionally raise an error
as soon as it is called (a local patch I intend to keep indefinitely).
Before your recent commits, 'guix-substitute-binary' was always being
called by 'guix build' (unless --no-substitutes was passed to it), but
that seems to be fixed now. Thanks.
>> I'm surprised and concerned that we seem to be having so much trouble
>> making '--no-substitutes' work reliably. How hard can it be?
>
> The issue is that guix-daemon.cc glues into Nix’s code, and Nix changed
> the way it handles substituter settings in the last update.
Ah, okay. I wish this wasn't so fragile, but the new test case you
added helps, as does my hack to raise an error if the substituter is
called, which will immediately alert me to any similar problems in the
future.
> Specifically, in Nix commit dcaea042, the Settings::update method is
> made to re-read $NIX_SUBSTITUTERS:
> <https://github.com/NixOS/nix/commit/dcaea042fc895667bf6f529471ff9f449629774c>;
> then in Guix commit 89faa5c I adjusted guix-daemon.cc accordingly, but
> inadvertently removed the ‘if’ branch that clears the substituter list.
>
> Commit c9e2b0b augments tests/guix-daemon.sh to test guix-daemon
> --no-substitutes.
Thanks very much! I'm closing this bug now.
Mark
--- End Message ---