GNU bug report logs - #39194
help for non-root users to start using

Previous Next

Package: guix;

Reported by: Matt Wette <matt.wette <at> gmail.com>

Date: Sun, 19 Jan 2020 17:49:02 UTC

Severity: normal

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 39194 in the body.
You can then email your comments to 39194 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#39194; Package guix. (Sun, 19 Jan 2020 17:49:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matt Wette <matt.wette <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Sun, 19 Jan 2020 17:49:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Matt Wette <matt.wette <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: help for non-root users to start using
Date: Sun, 19 Jan 2020 09:48:02 -0800
This guix-1.0.1 on x86_64 Fedora 30.

After installing as root, it's not clear from the manual how users 
should start.
I found out "guix pull" is the right thing.
Maybe add that to the manual? (Or add a "guix init" command.)

Here is the error that I get w/o "guix pull":

[mwette <at> localhost ~]$ guix install hello
Backtrace:
           8 (primitive-load "/usr/local/bin/guix")
In guix/ui.scm:
  1813:12  7 (run-guix-command _ . _)
In ice-9/boot-9.scm:
    829:9  6 (catch _ _ #<procedure 7effb6272430 at guix/ui.scm:657?> ?)
    829:9  5 (catch _ _ #<procedure 7effb6272448 at guix/ui.scm:780?> ?)
In guix/scripts/package.scm:
   948:10  4 (_)
In guix/status.scm:
    768:4  3 (call-with-status-report _ _)
In guix/scripts/package.scm:
   956:14  2 (_)
In guix/build/syscalls.scm:
  1127:14  1 (call-with-file-lock/no-wait _ #<procedure 7effb42f5cd?> ?)
In ice-9/boot-9.scm:
    777:6  0 (throw "open-file" "~A: ~S" ("No such file or direc?" ?) ?)

ice-9/boot-9.scm:777:6: In procedure throw:
In procedure throw: Wrong type argument in position 1: open-file





Reply sent to Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility. (Sun, 19 Jan 2020 22:13:02 GMT) Full text and rfc822 format available.

Notification sent to Matt Wette <matt.wette <at> gmail.com>:
bug acknowledged by developer. (Sun, 19 Jan 2020 22:13:02 GMT) Full text and rfc822 format available.

Message #10 received at 39194-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Matt Wette <matt.wette <at> gmail.com>
Cc: 39194-done <at> debbugs.gnu.org
Subject: Re: bug#39194: help for non-root users to start using
Date: Sun, 19 Jan 2020 23:12:43 +0100
Hi Matt,

Matt Wette <matt.wette <at> gmail.com> skribis:

> This guix-1.0.1 on x86_64 Fedora 30.
>
> After installing as root, it's not clear from the manual how users
> should start.
> I found out "guix pull" is the right thing.
> Maybe add that to the manual? (Or add a "guix init" command.)

“guix pull” brings you an up-to-date Guix, which is a good thing, but
you don’t _have_ to run it to get started.

> Here is the error that I get w/o "guix pull":
>
> [mwette <at> localhost ~]$ guix install hello
> Backtrace:
>            8 (primitive-load "/usr/local/bin/guix")
> In guix/ui.scm:
>   1813:12  7 (run-guix-command _ . _)
> In ice-9/boot-9.scm:
>     829:9  6 (catch _ _ #<procedure 7effb6272430 at guix/ui.scm:657?> ?)
>     829:9  5 (catch _ _ #<procedure 7effb6272448 at guix/ui.scm:780?> ?)
> In guix/scripts/package.scm:
>    948:10  4 (_)
> In guix/status.scm:
>     768:4  3 (call-with-status-report _ _)
> In guix/scripts/package.scm:
>    956:14  2 (_)
> In guix/build/syscalls.scm:
>   1127:14  1 (call-with-file-lock/no-wait _ #<procedure 7effb42f5cd?> ?)
> In ice-9/boot-9.scm:
>     777:6  0 (throw "open-file" "~A: ~S" ("No such file or direc?" ?) ?)
>
> ice-9/boot-9.scm:777:6: In procedure throw:
> In procedure throw: Wrong type argument in position 1: open-file

I believe this is fixed by commit 7842ddcbc118cbc2799e22651732b7cdc06b93ee.

Here’s my understanding of what happened:

  1. You’re running guix-daemon 1.0.1, which lacks the fix for
     <https://bugs.gnu.org/37744> (aka. CVE-2019-18192).

  2. As “mwette”, you ran ‘guix pull’ and obtained a new ‘guix’, which
     you then used in ‘guix install hello’ above.

  3. That new Guix contains the new profile locking mechanism that threw
     the exception we see above.  That exception is because it failed to
     create the lock file (“No such file or directory”), and that in
     turn is because /var/guix/profiles/per-user/mwette didn’t exist
     yet.

     /…/per-user/mwette didn’t exist because it was the first time you
     ran ‘guix install’ as “mwette”, and because guix-daemon lacks the
     fix mentioned above that would create upon first connection.

QED ■  :-)

Thanks for your report!

Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#39194; Package guix. (Mon, 20 Jan 2020 23:08:02 GMT) Full text and rfc822 format available.

Message #13 received at 39194 <at> debbugs.gnu.org (full text, mbox):

From: Bengt Richter <bokr <at> bokr.com>
To: 39194 <at> debbugs.gnu.org, ludo <at> gnu.org, matt.wette <at> gmail.com
Subject: Re: bug#39194: help for non-root users to start using
Date: Mon, 20 Jan 2020 15:07:13 -0800
Hi Ludo,

On +2020-01-19 23:12:43 +0100, Ludovic Courtès wrote:
> Hi Matt,
> 
> Matt Wette <matt.wette <at> gmail.com> skribis:
> 
> > This guix-1.0.1 on x86_64 Fedora 30.
> >
> > After installing as root, it's not clear from the manual how users
> > should start.
> > I found out "guix pull" is the right thing.
> > Maybe add that to the manual? (Or add a "guix init" command.)
> 
> “guix pull” brings you an up-to-date Guix, which is a good thing, but
> you don’t _have_ to run it to get started.
> 
> > Here is the error that I get w/o "guix pull":
> >
> > [mwette <at> localhost ~]$ guix install hello
> > Backtrace:
> >            8 (primitive-load "/usr/local/bin/guix")
> > In guix/ui.scm:
> >   1813:12  7 (run-guix-command _ . _)
> > In ice-9/boot-9.scm:
> >     829:9  6 (catch _ _ #<procedure 7effb6272430 at guix/ui.scm:657?> ?)
> >     829:9  5 (catch _ _ #<procedure 7effb6272448 at guix/ui.scm:780?> ?)
> > In guix/scripts/package.scm:
> >    948:10  4 (_)
> > In guix/status.scm:
> >     768:4  3 (call-with-status-report _ _)
> > In guix/scripts/package.scm:
> >    956:14  2 (_)
> > In guix/build/syscalls.scm:
> >   1127:14  1 (call-with-file-lock/no-wait _ #<procedure 7effb42f5cd?> ?)
> > In ice-9/boot-9.scm:
> >     777:6  0 (throw "open-file" "~A: ~S" ("No such file or direc?" ?) ?)
> >
> > ice-9/boot-9.scm:777:6: In procedure throw:
> > In procedure throw: Wrong type argument in position 1: open-file
> 
> I believe this is fixed by commit 7842ddcbc118cbc2799e22651732b7cdc06b93ee.
>

Did that commit cause an automatic update to the tarball
found and used by the binary install script [1] ??

[1] https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh

The latter defines GNU_URL="https://ftp.gnu.org/gnu/guix/"
as its source of tarballs and signatures. Looking at that URL with
a browser, I see

--8<---------------cut here---------------start------------->8---
[ ]guix-binary-1.0.1.x86_64-linux.tar.xz 2019-05-19 16:54 60M 
[ ]guix-binary-1.0.1.x86_64-linux.tar.xz.sig 2019-05-19 16:54 833  
--8<---------------cut here---------------end--------------->8---

and checking on the date of commit 7842dd, I get

--8<---------------cut here---------------start------------->8---
commit 7842ddcbc118cbc2799e22651732b7cdc06b93ee
Author: Ludovic Courtès <ludo <at> gnu.org>
Date:   Sun Jan 19 22:52:31 2020 +0100

    guix package: Create profiles/per-user/$USER upfront.
    
    Fixes <https://bugs.gnu.org/39194>.
    Reported by Matt Wette <matt.wette <at> gmail.com>.
    
    * guix/scripts/package.scm (build-and-use-profile): Move
    'ensure-default-profile' call to...
    (process-actions): ... here. 
 --8<---------------cut here---------------end--------------->8---

So for a script user, 2019-05-19 16:54 tarball vs Sun Jan 19 22:52:31 2020 fix
appears to be a problem :)

I doctored the script [1] to do everything but the installing part,
to make sure what tarball was being used by my system. Here is its output:

--8<---------------cut here---------------start------------->8---
[05:53 ~/bs]$ ./get-guix-ver.sh

    ░░░                                     ░░░
    ░░▒▒░░░░░░░░░               ░░░░░░░░░▒▒░░
     ░░▒▒▒▒▒░░░░░░░           ░░░░░░░▒▒▒▒▒░
         ░▒▒▒░░▒▒▒▒▒         ░░░░░░░▒▒░
               ░▒▒▒▒░       ░░░░░░
                ▒▒▒▒▒      ░░░░░░
                 ▒▒▒▒▒     ░░░░░
                 ░▒▒▒▒▒   ░░░░░
                  ▒▒▒▒▒   ░░░░░
                   ▒▒▒▒▒ ░░░░░
                   ░▒▒▒▒▒░░░░░
                    ▒▒▒▒▒▒░░░
                     ▒▒▒▒▒▒░
     _____ _   _ _    _    _____       _
    / ____| \ | | |  | |  / ____|     (_)
   | |  __|  \| | |  | | | |  __ _   _ ___  __
   | | |_ | . ' | |  | | | | |_ | | | | \ \/ /
   | |__| | |\  | |__| | | |__| | |_| | |>  <
    \_____|_| \_|\____/   \_____|\__,_|_/_/\_

This script is a modification of the guix-install.sh script
recommended in the on-line guix manual section on binary
installation [1] where the actual script is also linked [2].

It normally installs GNU Guix on your system, but was modified
by commenting out the actual installation parts, retaining
determination of the release for your system and checking
the signature. In addition sha1 digests of the tarball
and the original and modified scripts are also provided.

[1] https://guix.gnu.org/manual/en/html_node/Binary-Installation.html
[2] https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh

This modified version does not need to be run as root.

https://www.gnu.org/software/guix/
Press return to continue...
[1579528426.548]: Starting installation (Mon 20 Jan 2020 05:53:46 AM PST)
[1579528426.550]: [ PASS ] verification of required commands completed
[1579528426.574]: [ INFO ] init system is: systemd
[1579528426.576]: [ INFO ] system is x86_64-linux
[1579528427.114]: [ PASS ] Release for your system: guix-binary-1.0.1.x86_64-linux
[1579528427.116]: [ INFO ] Downloading Guix release archive
guix-binary-1.0.1.x86_64-linux.tar.xz   100%[==================================================>]  59.66M  7.05MB/s    in 9.2s    
guix-binary-1.0.1.x86_64-linux.tar.xz.s 100%[==================================================>]     833  --.-KB/s    in 0s      
[1579528436.864]: [ PASS ] download completed.
[1579528437.426]: [ PASS ] Signature is valid.
[1579528437.427]: [ INFO ] sha1sum digest of guix-binary-1.0.1.x86_64-linux.tar.xz:
8288422fde6a6d4ee257355c21ab9447ae9736cf  guix-binary-1.0.1.x86_64-linux.tar.xz
[1579528437.580]: [ INFO ] Downloading Guix install script 'guix-install.sh'
guix-install.sh                         100%[==================================================>]  13.68K  --.-KB/s    in 0s      
[1579528438.299]: [ PASS ] download completed.
[1579528438.304]: [ INFO ] sha1sum digest of guix-install.sh
4402af0b8c130b1cabf7fb5e68ec3183a02633b0  guix-install.sh
[1579528438.308]: [ INFO ] sha1sum digest of /home/bokr/BS/bs20200119_2359/get-guix-ver.sh
6926ea98230514b731c4ebe9edae8c9a5e01c0a9  /home/bokr/BS/bs20200119_2359/get-guix-ver.sh
[1579528438.311]: [ INFO ] This is last command in modified guix-install.sh script.
[05:53 ~/bs]$ 
--8<---------------cut here---------------end--------------->8---

Well, I hacked in some extra stuff, but I think it would be nice to give the script
a -n --dry-run option, and print the tarball dates along with a last-commit date, etc.
to show automatically what I did manually above.

Also, it the script [1] under git version control? Perhaps as a verbatim texi node
in guix info?

WDYT?

BTW I think guix use via binary installs on "foreign distros" will grow to a majority.
Especially if those who want to try it can pre-check with a dry run that can be run
as plain user and which outputs good warnings as appropriate.

I am now on PureOS on a Librem13v4, which is based on Debian apt packaging,
limited IIUC to their vetted repo based on Debian upstream.

So I wonder what I have done to my trust tree by running the binary install script.
I hate to think. There sure are a lot of committers who I don't know from Adam ;-/

> Here’s my understanding of what happened:
> 
>   1. You’re running guix-daemon 1.0.1, which lacks the fix for
>      <https://bugs.gnu.org/37744> (aka. CVE-2019-18192).
> 
>   2. As “mwette”, you ran ‘guix pull’ and obtained a new ‘guix’, which
>      you then used in ‘guix install hello’ above.
> 
>   3. That new Guix contains the new profile locking mechanism that threw
>      the exception we see above.  That exception is because it failed to
>      create the lock file (“No such file or directory”), and that in
>      turn is because /var/guix/profiles/per-user/mwette didn’t exist
>      yet.
> 
>      /…/per-user/mwette didn’t exist because it was the first time you
>      ran ‘guix install’ as “mwette”, and because guix-daemon lacks the
>      fix mentioned above that would create upon first connection.
> 
> QED ■  :-)
> 
> Thanks for your report!
> 
> Ludo’.
> 

-- 
Regards,
Bengt Richter




Information forwarded to bug-guix <at> gnu.org:
bug#39194; Package guix. (Tue, 21 Jan 2020 09:07:01 GMT) Full text and rfc822 format available.

Message #16 received at 39194 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Bengt Richter <bokr <at> bokr.com>
Cc: 39194 <at> debbugs.gnu.org, matt.wette <at> gmail.com
Subject: Re: bug#39194: help for non-root users to start using
Date: Tue, 21 Jan 2020 10:06:26 +0100
Hi,

Bengt Richter <bokr <at> bokr.com> skribis:

> Did that commit cause an automatic update to the tarball
> found and used by the binary install script [1] ??

No, it didn’t automatically create a new Guix release.

> commit 7842ddcbc118cbc2799e22651732b7cdc06b93ee
> Author: Ludovic Courtès <ludo <at> gnu.org>
> Date:   Sun Jan 19 22:52:31 2020 +0100
>
>     guix package: Create profiles/per-user/$USER upfront.
>     
>     Fixes <https://bugs.gnu.org/39194>.
>     Reported by Matt Wette <matt.wette <at> gmail.com>.
>     
>     * guix/scripts/package.scm (build-and-use-profile): Move
>     'ensure-default-profile' call to...
>     (process-actions): ... here. 
>  --8<---------------cut here---------------end--------------->8---
>
> So for a script user, 2019-05-19 16:54 tarball vs Sun Jan 19 22:52:31 2020 fix
> appears to be a problem :)

The problem Matt reported came up after running ‘guix pull’.  Someone
running ‘guix pull’ today will get the fix above.

HTH!

Ludo’.




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 18 Feb 2020 12:24:06 GMT) Full text and rfc822 format available.

This bug report was last modified 4 years and 40 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.