Grafts don't handle outputs other than out

  • Done
  • quality assurance status badge
Details
3 participants
  • Jakub K?dzio?ka
  • Ludovic Courtès
  • Marius Bakke
Owner
unassigned
Submitted by
Jakub K?dzio?ka
Severity
important
J
J
Jakub K?dzio?ka wrote on 11 Jun 2020 00:32
(address . bug-guix@gnu.org)
20200610223220.hi36uznx57jol2h5@gravity
$ cat test.scm
(use-modules
(guix packages)
(guix build-system trivial))

(define-public core-pkg
(package
(name "core-pkg")
(version "1.0")
(replacement core-pkg/fixed)
(source #f)
(outputs '("out" "lib"))
(build-system trivial-build-system)
(arguments
`(#:modules ((guix build utils))
#:builder
(begin
(use-modules (guix build utils))
(let ((outdir (assoc-ref %outputs "out"))
(libdir (assoc-ref %outputs "lib")))
(mkdir-p outdir)
(mkdir-p libdir)
#t))))
(synopsis #f)
(description #f)
(home-page #f)
(license #f)))

(define-public core-pkg/fixed
(package
(inherit core-pkg)
(version "1.1")))

(package
(name "other-pkg")
(version "4.2")
(source #f)
(build-system trivial-build-system)
(inputs
`(("core-pkg" ,core-pkg)
("core-pkg:lib" ,core-pkg "lib")))
(arguments
`(#:modules ((guix build utils))
#:builder
(begin
(use-modules (guix build utils))
(let ((outdir (assoc-ref %outputs "out")))
(mkdir-p outdir)
(with-output-to-file (string-append outdir "/hello")
(lambda ()
(display (assoc-ref %build-inputs "core-pkg"))
(newline)
(display (assoc-ref %build-inputs "core-pkg:lib"))
(newline)))
#t))))
(synopsis #f)
(description #f)
(home-page #f)
(license #f))
~$ cat `guix build --no-offload -f test.scm`/hello
/gnu/store/pmz07rzm63z02lkyyldsw3srf98h01y2-core-pkg-1.1
/gnu/store/pivsji8qfpln4i4v0f5v5cjmzakmcmvg-core-pkg-1.0-lib

Expected output: the second line contains -core-pkg-1.1-lib.

Regards,
Jakub K?dzio?ka
-----BEGIN PGP SIGNATURE-----

iQIyBAABCAAdFiEE5Xa/ss9usT31cTO54xWnWEYTFWQFAl7hX28ACgkQ4xWnWEYT
FWSEyw/3XMAjfC55ltrKpOkpQnX8abjwBJjJlwHy/b+qQHf+WwTMGxecYCUVExXt
qsFRho0qCQVqkhj5iwB0ownem/GZCnwjkbUXJ2vMwb3wHrra3pBFwoQjdg6Yv+Q5
KKlyP+nNK9+MTz8+AKzMd9Yng52dl2LE4qS/v9Gi6oxirreStG3+MdBrenpYBPWU
gitD/erPRx6abYeHHP4l1HI5YdmU/MtP4orNBv8N+bKBMaqEcYhpg6dhPLJg6vHB
mozrW9AMR0XghKr6xlNwg7ddh8xcyQnW6Mj4Ongl/LXqQXr/znq1kgrR3jeemRGu
SDGMYdmW1gsRtqwBnrGL0bvY++Kcbb3+lYuxqOkLvE/Br2u4c9e/TYcw5p8AqeGA
vY6McSyv1VLFOmFhQ19fejaO3bQiglACBRdZGVybWQ8yNh6olfip8DfVUVrgxPAz
tpf1aqroaWAR68RrgsQEc6LmPfYysKzZVJp8drJtiGvqU7MsgWNFBrHVxZpGv4l9
DUSQMyz0M9NPLSMzz9Nz9q4lU4Nt1MkyvV52iT08Rgls9WU5w+M+QK2b3FS2sZlq
uqV/8TzB3HhCbCjAeNY5HNYzFwiqBd/TCwSnArYlUwAKnb0/88tHoy0nS2+/C2pd
x+VhpFNcqj+F/nbhhPuk0atztnhi274c6GYTKO0+uve6Wh9ZKA==
=o5vg
-----END PGP SIGNATURE-----


M
M
Marius Bakke wrote on 11 Jun 2020 00:37
(address . control@debbugs.gnu.org)
87sgf2fsz4.fsf@gnu.org
severity 41796 important
thanks
L
L
Ludovic Courtès wrote on 11 Jun 2020 12:50
(address . control@debbugs.gnu.org)
87mu59c1wm.fsf@gnu.org
tags 41796 + security
quit
L
L
Ludovic Courtès wrote on 11 Jun 2020 18:46
Re: bug#41796: Grafts don't handle outputs other than out
(name . Jakub K?dzio?ka)(address . kuba@kadziolka.net)(address . 41796@debbugs.gnu.org)
87bllpblf2.fsf@gnu.org
Hi!

I’m trying to estimate the impact of this bug. As of
a50628bbe0fa4ba3835e311098e4fdf7a1d8a29e, there seems to be only one
package whose replacement could end up not being grafted (here I’m
omitting outputs that, if left ungrafted, won’t affect security):

Toggle snippet (9 lines)
scheme@(guile-user)> (fold-packages (lambda (p result)
(if (and (package-replacement p)
(> (length (fold delete (package-outputs p) '("debug" "doc" "static"))) 1))
(cons p result)
result))
'())
$11 = (#<package nss@3.50 gnu/packages/nss.scm:73 7f88caa62e60>)

This is because of the “bin” output of ‘nss’.

From a quick grep, there 3 packages depending on nss:bin: 389-ds-base,
libcacard, and xmlsec-nss.

389-ds-base is affected: it keeps a reference to the ungrafted “bin”:

Toggle snippet (8 lines)
$ guix gc --references $(guix build 389-ds-base --no-grafts) |grep nss-
/gnu/store/gfpgqvwrixhf3sf1bnzsfxzvld0nd8b7-nss-3.50
/gnu/store/vvsa5q0g790wi97zadj5qklqpiw1fqc1-nss-3.50-bin
$ guix gc --references $(guix build 389-ds-base) |grep nss-
/gnu/store/588jh89ng8f7ks4wsay6mdm4dxapk2d6-nss-3.50
/gnu/store/vvsa5q0g790wi97zadj5qklqpiw1fqc1-nss-3.50-bin

The other two are fine:

Toggle snippet (12 lines)
$ guix gc --references $(guix build libcacard --no-grafts) |grep nss-
/gnu/store/gfpgqvwrixhf3sf1bnzsfxzvld0nd8b7-nss-3.50
$ guix gc --references $(guix build libcacard) |grep nss-
/gnu/store/588jh89ng8f7ks4wsay6mdm4dxapk2d6-nss-3.50
$ guix gc --references $(guix build xmlsec-nss --no-grafts) |grep nss-
/gnu/store/fwb0adczsx3nqsdnj92xnv85n93qa17n-xmlsec-nss-1.2.30
/gnu/store/gfpgqvwrixhf3sf1bnzsfxzvld0nd8b7-nss-3.50
$ guix gc --references $(guix build xmlsec-nss ) |grep nss-
/gnu/store/2gzk5rfg86zyxk8d9z6b7x0xkwar95cj-xmlsec-nss-1.2.30
/gnu/store/588jh89ng8f7ks4wsay6mdm4dxapk2d6-nss-3.50

Ludo’.
L
L
Ludovic Courtès wrote on 11 Jun 2020 19:12
(name . Jakub K?dzio?ka)(address . kuba@kadziolka.net)(address . 41796-done@debbugs.gnu.org)
87y2ota5n8.fsf@gnu.org
Hi Jakub,

Thanks a lot for the reduced test case, much appreciated!

This is fixed with 03a70e4c190420e87c0b535285caf8f77260d4ff, which
includes a test inspired by yours.

ecf92194a55188a9c217d76617378749db063453 adds an nghttp2 replacement, as
you suggested on IRC, which is what prompted you to report this bug.
Apparently it works as expected. Same for 389-ds-base.

Thanks,
Ludo’.
Closed
?