GNU bug report logs - #41796
Grafts don't handle outputs other than out

Previous Next

Package: guix;

Reported by: Jakub Kądziołka <kuba <at> kadziolka.net>

Date: Wed, 10 Jun 2020 22:33:01 UTC

Severity: important

Tags: security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 41796 in the body.
You can then email your comments to 41796 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#41796; Package guix. (Wed, 10 Jun 2020 22:33:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jakub Kądziołka <kuba <at> kadziolka.net>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Wed, 10 Jun 2020 22:33:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jakub Kądziołka <kuba <at> kadziolka.net>
To: bug-guix <at> gnu.org
Subject: Grafts don't handle outputs other than out
Date: Thu, 11 Jun 2020 00:32:20 +0200
[Message part 1 (text/plain, inline)]
$ cat test.scm
(use-modules
  (guix packages)
  (guix build-system trivial))

(define-public core-pkg
  (package
    (name "core-pkg")
    (version "1.0")
    (replacement core-pkg/fixed)
    (source #f)
    (outputs '("out" "lib"))
    (build-system trivial-build-system)
    (arguments
     `(#:modules ((guix build utils))
       #:builder
       (begin
         (use-modules (guix build utils))
         (let ((outdir (assoc-ref %outputs "out"))
               (libdir (assoc-ref %outputs "lib")))
           (mkdir-p outdir)
           (mkdir-p libdir)
           #t))))
    (synopsis #f)
    (description #f)
    (home-page #f)
    (license #f)))

(define-public core-pkg/fixed
  (package
    (inherit core-pkg)
    (version "1.1")))

(package
  (name "other-pkg")
  (version "4.2")
  (source #f)
  (build-system trivial-build-system)
  (inputs
  `(("core-pkg" ,core-pkg)
    ("core-pkg:lib" ,core-pkg "lib")))
  (arguments
  `(#:modules ((guix build utils))
    #:builder
    (begin
      (use-modules (guix build utils))
      (let ((outdir (assoc-ref %outputs "out")))
        (mkdir-p outdir)
        (with-output-to-file (string-append outdir "/hello")
          (lambda ()
            (display (assoc-ref %build-inputs "core-pkg"))
            (newline)
            (display (assoc-ref %build-inputs "core-pkg:lib"))
            (newline)))
        #t))))
  (synopsis #f)
  (description #f)
  (home-page #f)
  (license #f))
~$ cat `guix build --no-offload -f test.scm`/hello
/gnu/store/pmz07rzm63z02lkyyldsw3srf98h01y2-core-pkg-1.1
/gnu/store/pivsji8qfpln4i4v0f5v5cjmzakmcmvg-core-pkg-1.0-lib

Expected output: the second line contains -core-pkg-1.1-lib.

Regards,
Jakub Kądziołka
[signature.asc (application/pgp-signature, inline)]

Severity set to 'important' from 'normal' Request was from Marius Bakke <marius <at> gnu.org> to control <at> debbugs.gnu.org. (Wed, 10 Jun 2020 22:38:01 GMT) Full text and rfc822 format available.

Added tag(s) security. Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Thu, 11 Jun 2020 10:51:01 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#41796; Package guix. (Thu, 11 Jun 2020 16:47:02 GMT) Full text and rfc822 format available.

Message #12 received at 41796 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Jakub Kądziołka <kuba <at> kadziolka.net>
Cc: 41796 <at> debbugs.gnu.org
Subject: Re: bug#41796: Grafts don't handle outputs other than out
Date: Thu, 11 Jun 2020 18:46:09 +0200
Hi!

I’m trying to estimate the impact of this bug.  As of
a50628bbe0fa4ba3835e311098e4fdf7a1d8a29e, there seems to be only one
package whose replacement could end up not being grafted (here I’m
omitting outputs that, if left ungrafted, won’t affect security):

--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> (fold-packages (lambda (p result)
				      (if (and (package-replacement p)
					       (> (length (fold delete (package-outputs p) '("debug" "doc" "static"))) 1))
					  (cons p result)
					  result))
				    '())
$11 = (#<package nss <at> 3.50 gnu/packages/nss.scm:73 7f88caa62e60>)
--8<---------------cut here---------------end--------------->8---

This is because of the “bin” output of ‘nss’.

From a quick grep, there 3 packages depending on nss:bin: 389-ds-base,
libcacard, and xmlsec-nss.

389-ds-base is affected: it keeps a reference to the ungrafted “bin”:

--8<---------------cut here---------------start------------->8---
$ guix gc --references $(guix build 389-ds-base --no-grafts) |grep nss-
/gnu/store/gfpgqvwrixhf3sf1bnzsfxzvld0nd8b7-nss-3.50
/gnu/store/vvsa5q0g790wi97zadj5qklqpiw1fqc1-nss-3.50-bin
$ guix gc --references $(guix build 389-ds-base) |grep nss-
/gnu/store/588jh89ng8f7ks4wsay6mdm4dxapk2d6-nss-3.50
/gnu/store/vvsa5q0g790wi97zadj5qklqpiw1fqc1-nss-3.50-bin
--8<---------------cut here---------------end--------------->8---

The other two are fine:

--8<---------------cut here---------------start------------->8---
$ guix gc --references $(guix build libcacard --no-grafts) |grep nss-
/gnu/store/gfpgqvwrixhf3sf1bnzsfxzvld0nd8b7-nss-3.50
$ guix gc --references $(guix build libcacard) |grep nss-
/gnu/store/588jh89ng8f7ks4wsay6mdm4dxapk2d6-nss-3.50
$ guix gc --references $(guix build xmlsec-nss --no-grafts) |grep nss-
/gnu/store/fwb0adczsx3nqsdnj92xnv85n93qa17n-xmlsec-nss-1.2.30
/gnu/store/gfpgqvwrixhf3sf1bnzsfxzvld0nd8b7-nss-3.50
$ guix gc --references $(guix build xmlsec-nss ) |grep nss-
/gnu/store/2gzk5rfg86zyxk8d9z6b7x0xkwar95cj-xmlsec-nss-1.2.30
/gnu/store/588jh89ng8f7ks4wsay6mdm4dxapk2d6-nss-3.50
--8<---------------cut here---------------end--------------->8---

Ludo’.




Reply sent to Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility. (Thu, 11 Jun 2020 17:13:01 GMT) Full text and rfc822 format available.

Notification sent to Jakub Kądziołka <kuba <at> kadziolka.net>:
bug acknowledged by developer. (Thu, 11 Jun 2020 17:13:01 GMT) Full text and rfc822 format available.

Message #17 received at 41796-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Jakub Kądziołka <kuba <at> kadziolka.net>
Cc: 41796-done <at> debbugs.gnu.org
Subject: Re: bug#41796: Grafts don't handle outputs other than out
Date: Thu, 11 Jun 2020 19:12:11 +0200
Hi Jakub,

Thanks a lot for the reduced test case, much appreciated!

This is fixed with 03a70e4c190420e87c0b535285caf8f77260d4ff, which
includes a test inspired by yours.

ecf92194a55188a9c217d76617378749db063453 adds an nghttp2 replacement, as
you suggested on IRC, which is what prompted you to report this bug.
Apparently it works as expected.  Same for 389-ds-base.

Thanks,
Ludo’.




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 10 Jul 2020 11:24:05 GMT) Full text and rfc822 format available.

This bug report was last modified 3 years and 263 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.