Conflicting grafts are dismissed

  • Done
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Submitted by
Ludovic Courtès
Severity
serious
L
L
Ludovic Courtès wrote on 12 Sep 2016 14:56
Re: GnuTLS security update
(name . Leo Famulari)(address . leo@famulari.name)
87zindtgya.fsf@gnu.org
Leo Famulari <leo@famulari.name> skribis:

Toggle quote (24 lines)
> $ ./pre-inst-env guix build gnutls
> /gnu/store/4x9r7rkinycxr7xda5a92knm8ikila6p-gnutls-3.5.2-debug
> /gnu/store/n93gb4n301rz46k9cm0d12hb26gq5lg5-gnutls-3.5.2-doc
> /gnu/store/di3yhn5hy4hzshpazkc6dkb4r67dbhks-gnutls-3.5.2
>
> $ guix build gnutls # This Guix is from `guix pull`, not my Git repo.
> /gnu/store/7dy8xca0y8vz94af242cqnq9ddk2nwxn-gnutls-3.5.2-debug
> /gnu/store/q27cnlfkf8kc6gjl0cdw5nvq45lfllvx-gnutls-3.5.2-doc
> /gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2
>
> $ guix gc --references $(./pre-inst-env guix build msmtp)
> /gnu/store/9nifwk709wajpyfwa0jzaa3p6mf10vxs-gcc-4.9.3-lib
> /gnu/store/l1s4cw9g58hmcpd2qgbckfl228143qzx-glib-2.48.0
> /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23
> /gnu/store/nwzi32dmlrvqkfy5fplrh9ndnivxv851-libsecret-0.18.5
> /gnu/store/ppd0q1mwl6rz51y5bmmwz3x89hc561cw-msmtp-1.6.5
> /gnu/store/r60cjgawd6dqz3gfdmw4ihkvbcp27f3a-gsasl-1.8.0
> /gnu/store/ykzwykkvr2c80rw4l1qh3mvfdkl7jibi-bash-4.3.42
> /gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2
>
> The problem is that the msmtp package I have built using this patch does
> not refer to the grafted gnutls. I got the same result after building a
> fresh Git clone of Guix.

Indeed, there’s a bug. :-/

With your patch, I get:

Toggle snippet (32 lines)
$ git describe
v0.11.0-970-g8d4169a
$ guix gc --references $(./pre-inst-env guix build msmtp)|grep gnutls
/gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2
$ ./pre-inst-env guix build gnutls
/gnu/store/4x9r7rkinycxr7xda5a92knm8ikila6p-gnutls-3.5.2-debug
/gnu/store/n93gb4n301rz46k9cm0d12hb26gq5lg5-gnutls-3.5.2-doc
/gnu/store/di3yhn5hy4hzshpazkc6dkb4r67dbhks-gnutls-3.5.2
$ ./pre-inst-env guix build gnutls --no-grafts
/gnu/store/23vx0mdw6q96pakyps2cjjvcjng1mxqx-gnutls-3.5.2-debug
/gnu/store/p0zrk9424l0aljzsqyqx5zgh86x9glmi-gnutls-3.5.2-doc
/gnu/store/1qv5i6rfxjc4d0rg7z6r9dapmf85kzmy-gnutls-3.5.2
$ /gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2/bin/gnutls-cli --version
gnutls-cli 3.5.2
Copyright (C) 2000-2016 Free Software Foundation, and others, all rights reserved.
This is free software. It is licensed for use, modification and
redistribution under the terms of the GNU General Public License,
version 3 or later <http://gnu.org/licenses/gpl.html>


Please send bug reports to: <bugs@gnutls.org>
$ /gnu/store/di3yhn5hy4hzshpazkc6dkb4r67dbhks-gnutls-3.5.2/bin/gnutls-cli --version
gnutls-cli 3.5.4
Copyright (C) 2000-2016 Free Software Foundation, and others, all rights reserved.
This is free software. It is licensed for use, modification and
redistribution under the terms of the GNU General Public License,
version 3 or later <http://gnu.org/licenses/gpl.html>


Please send bug reports to: <bugs@gnutls.org>

msmtp uses a GnuTLS that is different from from both other GnuTLS.

I think the bug has to do with the fact that GnuTLS has a replacement
and at the same time needs to be grafted (the libidn and libgcrypt
grafts apply to GnuTLS).

In the meantime, I suggest that you apply the patch anyway.

Ludo’.
L
L
Leo Famulari wrote on 12 Sep 2016 18:34
(name . Ludovic Courtès)(address . ludo@gnu.org)
20160912163421.GA32764@jasmine
On Mon, Sep 12, 2016 at 02:56:13PM +0200, Ludovic Courtès wrote:
Toggle quote (2 lines)
> msmtp uses a GnuTLS that is different from from both other GnuTLS.

The GnuTLS being used [0] corresponds to the GnuTLS on the master branch
from before I pushed this graft.

Toggle quote (6 lines)
> I think the bug has to do with the fact that GnuTLS has a replacement
> and at the same time needs to be grafted (the libidn and libgcrypt
> grafts apply to GnuTLS).
>
> In the meantime, I suggest that you apply the patch anyway.

Okay, done as 974e2b297104d2de01632df1a56069b383e645f4

[0]
yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJX1tkNAAoJECZG+jC6yn8ImFkQAL8o/tVpJefHFIi9T7JrCaUJ
nJp6ZQztAHBaRCBl6yDkU7vnkBBCsdZzjf4KCyT1mijUrKsfUEtKhiITnmD/AwRY
LLa7Bku84/P4AUMljc6E9lhD651Kz2n9X6YPfgKJI4wBkUbRnnrYaSgDGwPbxeJp
AM1DmRvjV7mWxeGc2LpxZ65tc4sEXXHm/qpGTa+4Yhn9821xp7aJ9ojV0JddU2j7
4uX5MnYHINYmAhbFDR53Dvv+FTC01vIxRWjRQrf3QwP//O0BurY/mSZP/CQ+msjd
51uQxlDUMxpyNqLEGqK+AZxcjAuokBLyZr3Gjr/Xylv4su/YYtyKrulZ/acIYLjp
hpAJsOYTwPzol+gt1TJOHH6V+xJf3UNLIy7xFpMA3jEo/C7WloC1yIblcgxC/byN
VwQIVAGyq2TWrCFeg0PNLNNALrUIgcrt9OTVhHe0FRg5R7uobkR2wGArhy1Ngo+d
III/jFFYmRlGXbtuQ1NPjSQwoYHHGTMLi5oHv0TcHLJPCAI3PAKc1hkKuGTzm+0t
Z2rpM+duwghCd/5Tg6BRSKwgQAMqufr+AVAtz5k1DQwuMv+OhNFvlob0xOXayNl1
MSrfVeledOnCME3QnMbbGHRG0IUKF+jqS3ykFanLiuN4FhF9dOxCkGDCyF2nIiUq
dyAg9Tp48eRAxAcX6V1x
=2JDf
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 12 Sep 2016 22:57
retitle
(address . request@debbugs.gnu.org)
87zincygxv.fsf@gnu.org
retitle 24418 Conflicting grafts are dismissed
thanks
L
L
Ludovic Courtès wrote on 12 Sep 2016 22:57
control message for bug #24418
(address . control@debbugs.gnu.org)
87y42wygxe.fsf@gnu.org
severity 24418 serious
L
L
Ludovic Courtès wrote on 14 Oct 2016 09:57
Grafted item refers to a mixture of grafted and ungrafted outputs of the same derivation
(address . 24418@debbugs.gnu.org)(name . Mark H Weaver)(address . mhw@netris.org)
87shrzcqhx.fsf@gnu.org
Mark reported on IRC that gnome-session, as of v0.11.0-1639-g34f9582,
refers to the grafted “out” of glib, but at the same time refers to the
*ungrafted* “bin” output of glib:

Toggle snippet (15 lines)
$ ./pre-inst-env guix build gnome-session
/gnu/store/rchskrbc42yjlb85lq8zigpvynwc2zz7-gnome-session-3.20.2
$ guix gc -R /gnu/store/rchskrbc42yjlb85lq8zigpvynwc2zz7-gnome-session-3.20.2|grep glib-2
/gnu/store/l1s4cw9g58hmcpd2qgbckfl228143qzx-glib-2.48.0
/gnu/store/c4rjjznraqnw7wk7zwr8ndmq7bdmj51q-glib-2.48.0-bin
$ ./pre-inst-env guix build glib
/gnu/store/ya5d1r6bvph3m5nisjywrnkvffpdrjfn-glib-2.48.0-bin
/gnu/store/jav2d6c39k3amv4k1670845li7284a6q-glib-2.48.0-doc
/gnu/store/77f9q6kvgrrwhqbzxzc10bwdwq6kd690-glib-2.48.0
$ ./pre-inst-env guix build glib --no-grafts
/gnu/store/c4rjjznraqnw7wk7zwr8ndmq7bdmj51q-glib-2.48.0-bin
/gnu/store/ib12bfrx83aawhabpp0rijgmm61gi0wg-glib-2.48.0-doc
/gnu/store/l1s4cw9g58hmcpd2qgbckfl228143qzx-glib-2.48.0

Ludo’.
L
L
Ludovic Courtès wrote on 14 Oct 2016 23:37
Re: bug#24418: GnuTLS security update
(name . Leo Famulari)(address . leo@famulari.name)
87insuvchr.fsf@gnu.org
Hello!

ludo@gnu.org (Ludovic Courtès) skribis:

Toggle quote (28 lines)
> $ git describe
> v0.11.0-970-g8d4169a
> $ guix gc --references $(./pre-inst-env guix build msmtp)|grep gnutls
> /gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2
> $ ./pre-inst-env guix build gnutls
> /gnu/store/4x9r7rkinycxr7xda5a92knm8ikila6p-gnutls-3.5.2-debug
> /gnu/store/n93gb4n301rz46k9cm0d12hb26gq5lg5-gnutls-3.5.2-doc
> /gnu/store/di3yhn5hy4hzshpazkc6dkb4r67dbhks-gnutls-3.5.2
> $ ./pre-inst-env guix build gnutls --no-grafts
> /gnu/store/23vx0mdw6q96pakyps2cjjvcjng1mxqx-gnutls-3.5.2-debug
> /gnu/store/p0zrk9424l0aljzsqyqx5zgh86x9glmi-gnutls-3.5.2-doc
> /gnu/store/1qv5i6rfxjc4d0rg7z6r9dapmf85kzmy-gnutls-3.5.2
> $ /gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2/bin/gnutls-cli --version
> gnutls-cli 3.5.2
> Copyright (C) 2000-2016 Free Software Foundation, and others, all rights reserved.
> This is free software. It is licensed for use, modification and
> redistribution under the terms of the GNU General Public License,
> version 3 or later <http://gnu.org/licenses/gpl.html>
>
>
> Please send bug reports to: <bugs@gnutls.org>
> $ /gnu/store/di3yhn5hy4hzshpazkc6dkb4r67dbhks-gnutls-3.5.2/bin/gnutls-cli --version
> gnutls-cli 3.5.4
> Copyright (C) 2000-2016 Free Software Foundation, and others, all rights reserved.
> This is free software. It is licensed for use, modification and
> redistribution under the terms of the GNU General Public License,
> version 3 or later <http://gnu.org/licenses/gpl.html>

AFAICS this is fixed by these two patches:

b013c33 * grafts: 'graft-derivation' does now introduce grafts that shadow other grafts.
d0025d0 * packages: 'package-grafts' applies grafts on replacement.

Please let know if you notice anything wrong.

For debugging purposes, I found it easier to have the attached patch
applied, so that replacements are easily distinguishable from the
original packages. You might want to use it too. :-)

(I didn’t apply it to master because it would lead to merge conflicts in
core-updates, but feel free to apply it if that seems OK to you.)

Thanks,
Ludo’.
modified gnu/packages/gnupg.scm
@@ -138,15 +138,14 @@ generation.")
(define libgcrypt-1.5.6
(package
(inherit libgcrypt-1.5)
- (source
- (let ((version "1.5.6"))
- (origin
- (method url-fetch)
- (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
- version ".tar.bz2"))
- (sha256
- (base32
- "0ydy7bgra5jbq9mxl5x031nif3m6y3balc6ndw2ngj11wnsjc61h")))))))
+ (version "1.5.6")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
+ version ".tar.bz2"))
+ (sha256
+ (base32
+ "0ydy7bgra5jbq9mxl5x031nif3m6y3balc6ndw2ngj11wnsjc61h"))))))
(define-public libassuan
(package
modified gnu/packages/tls.scm
@@ -215,16 +215,15 @@ required structures.")
(define gnutls-3.5.4
(package
(inherit gnutls)
- (source
- (let ((version "3.5.4"))
- (origin
- (method url-fetch)
- (uri (string-append "mirror://gnupg/gnutls/v"
- (version-major+minor version)
- "/gnutls-" version ".tar.xz"))
- (sha256
- (base32
- "1sx8p7v452s9m854r2c5pvcd1k15a3caiv5h35fhrxz0691h2f2f")))))))
+ (version "3.5.4")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "mirror://gnupg/gnutls/v"
+ (version-major+minor version)
+ "/gnutls-" version ".tar.xz"))
+ (sha256
+ (base32
+ "1sx8p7v452s9m854r2c5pvcd1k15a3caiv5h35fhrxz0691h2f2f"))))))
(define-public openssl
L
L
Ludovic Courtès wrote on 1 Nov 2016 22:22
control message for bug #24418
(address . control@debbugs.gnu.org)
87ins6nbee.fsf@gnu.org
tags 24418 fixed
close 24418
?