guix time-machine fails when a tarball was modified in-place

Hi,

Trying to travel back to Sun Apr 7 22:07:14 2019 +0200 (commit

56e95d54d209c2428f970d65d9b27ae4168449ad) to re-create mcrl2-minimal by

doing

fails with

The recipe for harfbuzz has a sha256 that used to be valid in April, but

hasn't been valid anymore since May, as this fix

shows. Thoughts?

Greetings,

janneke

--

Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org

Freelance IT http://JoyofSource.com| Avatar® http://AvatarAcademy.com

Hi,

On Wed, 12 Feb 2020 at 14:44, Jan Nieuwenhuizen <janneke@gnu.org> wrote:

Even the simple:

same for e.g., this commit:

Therefore, all the commits between the introduction of harfbuzz with

the old sha256 (commit 2da9b81837fd1e6f08a10952784d3358be982855) and

the commit updating to the new sha256 should be broken.

Roughly speaking, all the commits between April, 7th and the May, 4th;

i.e., 1100+ commits, isn't it?

Well, this ask an interesting question: how Guix can fallback when

upstream is doing wrong?

Considering this 'harbuzz' issue, is it possible to rebuild the old

tarball and push it to SoftWare Heritage? Then when a sha mismatch

happens, fallback and try to fetch it from SWH?

WDYT?

Cheers,

simon

Hi,

Jan Nieuwenhuizen <janneke@gnu.org> skribis:

The problem here is really that we fall back to content-addressed

mirrors instead of using them directly:

https://issues.guix.gnu.org/issue/28659

The file itself is still available on our machines though, and you can

get it with:

guix download -o harfbuzz-2.4.0.tar.bz2 \

https://ci.guix.gnu.org/file/harfbuzz-2.4.0.tar.bz2/sha256/0vrkvdlmihdg62a4c6h5kx27khc33xmb95l50zgnwnavvpwyyw5l

guix download file://$PWD/harfbuzz-2.4.0.tar.bz2

After that, re-running ‘guix time-machine’ should work.

Using ci.guix.gnu.org for substitutes should have the same effect.

HTH,

Ludo’.

Hi Ludo,

On Thu, 13 Feb 2020 at 22:34, Ludovic Courtès <ludo@gnu.org> wrote:

Thank you for the pointer. Good to see that the problem is almost addressed.

I will try to understand the discussion and see what is the status of

the proposed patch.

It is an half cooked solution because the Guix project cannot archive

all; for example in term of store resources.

The content-addressed mirror should be SWH, IMHO.

Well, once sources.json will be up, it should be almost done for the future.

But we still need to push all the correct sources that are on

ci.guix.gnu.org; at least all the url based source of package.

Do you have suggestion for a plan?

Thank you. This should fix the harfbuzz mismatch issue. Cool! :-)

Hum? I thought that I used ci.guix.gnu.org as substitutes... soI need to check.

Cheers,

simon

Hello Ludo'

Ludovic Courtès <ludo@gnu.org> writes:

[...]

Given the natute (AFAIU) of this issue is the very same of the bug you

mention, shouldn't this bug be merged (forcemerged?) whith #28659?

If you agree and have no time, I can try doing this

Does make it sense to make this workaround more general and add this as

a Cookbook or blog entry? If the patch you propose in #28659 solve any

issue and is ready to be merget of course it's not worth the effort

[...]

Thanks! Gio'

--

Giovanni Biscuolo

Xelera IT Infrastructures

Hi Ludo,

On Thu, 13 Feb 2020 at 22:34, Ludovic Courtès <ludo@gnu.org> wrote:

Maybe I miss a point, but the file we need is the old one, not the new

one, i.e., the one with the expected hash

1mpah6kwqid1kxsj4rwqsniivqbrx231j65v51yncx6s0dch0dch. And I should do

wrong but ci.guix.gnu.org does not have this file -- otherwise it will

find it because of substitutes mechanism.

Cheers,

simon

Hi Giovanni,

On Fri, 14 Feb 2020 at 11:07, Giovanni Biscuolo <g@xelera.eu> wrote:

AFAIU, there is 2 issues:

1. how to do with the particular case of harfbuzz -- bug#39575

2. how to solve the general case of unreliable sources -- bug#28659

So instead of merging the bugs (case 2.), I would like to solve 1.,

mark it as done and report to bug#28659. It will ease to follow

because the thread in bug#28659 is already heavy. :-)

All the best,

simon

Hi,

zimoun <zimon.toutoune@gmail.com> skribis:

Oops, my bad.

I checked on a bunch of machines and couldn’t find it.

Everyone, please check whether you have

/gnu/store/b4cdp9sp44848348lrpzbfafhmjqf8nr-harfbuzz-2.4.0.tar.bz2 and

so share!

Ludo’.

zimoun ???

~ λ guix download

Starting download of /tmp/guix-file.JSWxOl

From https://www.tobias.gr/guix/harfbuzz-2.4.0.tar.bz2...

...4.0.tar.bz2 17.1MiB

6.5MiB/s 00:03 [##################] 100.0%

/gnu/store/b4cdp9sp44848348lrpzbfafhmjqf8nr-harfbuzz-2.4.0.tar.bz2

1mpah6kwqid1kxsj4rwqsniivqbrx231j65v51yncx6s0dch0dch

Enjoy,

T G-R

Hi,

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

Thanks, you saved us!

Now we have it here:

https://ci.guix.gnu.org/file/harfbuzz-2.4.0.tar.bz2/sha256/1mpah6kwqid1kxsj4rwqsniivqbrx231j65v51yncx6s0dch0dch

I’ve also registered a GC root.

Anyway, everything will be so much better when SWH archives tarballs!

Ludo’.

Ludovic Courtès writes:

What about

https://snapshot.debian.org/archive/debian/20190406T212022Z/pool/main/h/harfbuzz/harfbuzz_2.4.0.orig.tar.bz2

(The strange thing being here, that snapshot.debian.org does not provide

a copy of the the in-place rewritten upstream tarball, either on

2019-05-06 or later.)

So, this now becomes the recipe

wget -O harfbuzz-2.4.0.tar.bz2 https://snapshot.debian.org/archive/debian/20190406T212022Z/pool/main/h/harfbuzz/harfbuzz_2.4.0.orig.tar.bz2

guix download $PWD/harfbuzz-2.4.0.tar.bz2

guix time-machine --commit=56e95d54d209c2428f970d65d9b27ae4168449ad --no-offload -- help

that i'm trying now, and for now it looks fine (lots of stuff to build,

i'll report success or failure when it's done).

It seems, however, that for offload builds to work the guix download

needs to be repeated on the offload build farm machines too?

janneke

--

Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org

Freelance IT http://JoyofSource.com| Avatar® http://AvatarAcademy.com

Ludovic Courtès writes:

Wait, what happened here; you finally proposed a patch two years ago and

nothing happened/we all forgot to follow up?

I cannot determine if possibly we were hoping to "wait" for the guile

build daemon?

janneke

--

Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org

Freelance IT http://JoyofSource.com| Avatar® http://AvatarAcademy.com

Hi,

Jan Nieuwenhuizen <janneke@gnu.org> skribis:

Good idea.

OK!

No, I don’t think so, because the head node copies all the inputs to

build machines before it actually offloads the build.

Ludo’.

Jan Nieuwenhuizen <janneke@gnu.org> skribis:

[...]

I think we forgot, indeed.

One thing I don’t quite like about the patch is the fact that ‘guix

substitutes’ connects to the daemon in ‘content-addressed-item?’.

Also, one could argue that we’d steer users towards downloading from our

server, which could be a privacy concern (probably not a strong argument

since one can easily change the substitute URLs.)

Thoughts?

Ludo’.

Hi,

On Fri, 14 Feb 2020 at 14:51, Ludovic Courtès <ludo@gnu.org> wrote:

Cool!

But how do you determine the "date", i.e., this reference '20190406T212022Z' ?

Could it be automated?

Cheers,

simon

Hi,

On Fri, 14 Feb 2020 at 22:34, Ludovic Courtès <ludo@gnu.org> wrote:

I am not following the privacy concern.

What do you mean?

Cheers,

simon

Hi,

On Fri, 14 Feb 2020 at 14:14, Ludovic Courtès <ludo@gnu.org> wrote:

Thank you! :-)

The future will be better. :-)

Even some details need to be discussed: frequency of source.json

generation, frequency of the SWH crawler ingest it, etc.

How could all the archives living in ci.guix.gnu.org be sent to SWH?

Because IMHO the of Berlin (or other) is to archive the world but to

build it. :-)

Cheers,

simon

Jan, Simon,

Janneke ???

This is a wonderful resource! Thank you, Janneke (and Debian)!

zimoun ???

You'd take the timestamp immediately preceding your desired (Guix)

commit's date, or something like that. The fact that git commit

dates aren't linear shouldn't hurt here.

Not without parsing HTML to get the valid timestamps:

https://snapshot.debian.org/archive/debian/?year=2020&month=2.

Also, this doesn't seem to be a supported service yet[0]:

“This is an implementation for a possible snapshot.debian.org

service.

It's not yet finished, it's more a prototype/proof of concept

to show

and learn what we want and can provide. So far it seems to

actually work.”

Still really cool,

T G-R

[0]: https://salsa.debian.org/snapshot-team/snapshot

On +2020-02-15 21:01:36 +0100, Tobias Geerinckx-Rice via Bug reports for GNU Guix wrote:

You may not need to parse the html fully if the part you need is

isolatable into delimited scopes that you can successively narrow.

For example, I while back I wanted a command I could type to get

the url of the latest linux kernel at kernel.org:

stable-kernel.scm -h

(oops, I see I din't use $0 in the usage text -- should be .scm, not -scm)

I offer it below [1], with the thought that you could probably

modify (not to mention improve :-) it to get the timestamps you want.

Especially if you could get them to make the narrow context unique enough

that it's delimiters can delimit it in one shot.

The page at kernel.org is apparently stable enough that this still works,

but YMMV until the snapshot page is similarly stable. (You could ask

them to make it easy :)

HTH or is useful some way.

--

Regards,

Bengt Richter

[1]

Hi!

zimoun <zimon.toutoune@gmail.com> skribis:

I mean that by default, someone who’s disabled substitutes (presumably

out of security or privacy concerns) would find themself downloading

source code from ci.guix.gnu.org instead of various upstream sites.

Ludo’.

Hi,

On Sat, 15 Feb 2020 at 21:01, Tobias Geerinckx-Rice <me@tobias.gr> wrote:

You assume that Debian packs packages as fast as Guix, I mean on the

same schedule which is a strong assumption IMHO.

For example, if it was the contrary and the "new" release of harfbuzz

2.4.0 were missing, then would Debian be helpful?

Yes, still cool! :-)

Thanks,

simon

Hi Ludo,

On Sun, 16 Feb 2020 at 11:59, Ludovic Courtès <ludo@gnu.org> wrote:

I do not see the difference between mirroring and traveling back in

time with missing upstream sources.

And because it is content-addressed, it seems even more secure than

downloading from a upstream URL, IMHO.

If one trusts Guix, then an attacker needs to corrupt in the same time

the Guix history and Berlin (and/or any other farm).

If one does not trust Guix, why does they use the recipe coming from

Guix? To be precise, this person has to check all the recipes of all

the dependencies.

Well, I do not see a security concern because we are talking about

serving the sources.

It is another story when the substitutes serve the results of the

build (binaries); because one does not have any strong guarantee that

the substitute serves the expected binaries.

By privacy concern, do you mean that Guix could collect who downloads

what; in a central fashion? Which is not the case when one downloads

from several distributed upstream sources. Right?

Well, I am not convinced because the case of missing upstream source

is rare. And it is easy to protect against such collecting data

process.

In paranoid mode, traveling back in time is becoming difficult because

of the reliability of the sources; I mean if the sources were

reliable, SWH would not exist. ;-) The solution should be an IPFS /

GNUnet / full distributed archive... which is not ready... yet! :-)

Well, maybe for the TODO list of the time-machine: add an option to

allow substitutes *only* for the sources (substitutes meaning

ci.guix.gnu.org and/or SWH). If this option does not exist yet. ;-)

Cheers,

simon

On Mon, Feb 17, 2020 at 09:47:41AM +0100, zimoun wrote:

We could first try

mirror://debian/pool/main/harfbuzz/harfbuzz_2.4.0.orig.tar.bz2

and then scrape https://snapshot.debian.org/package/harfbuzz/for

2.4.0-1 and then parse the website for harfbuzz_2.4.0.orig.tar.bz2. Or

for just 'orig.tar'

--

Efraim Flashner <efraim@flashner.co.il> ????? ?????

GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351

Confidentiality cannot be guaranteed on emails sent or received unencrypted

Hi,

zimoun <zimon.toutoune@gmail.com> skribis:

[...]

Exactly. But like I wrote above, I don’t think it’s a strong argument.

What remains is the issue with ‘content-addressed-item?’, then.

Ludo’.

zimoun ???

Indeed I do! :-D

Efraim's solution sounds reasonable.

Kind regards,

T G-R

On Mon, 17 Feb 2020 at 15:40, Ludovic Courtès <ludo@gnu.org> wrote:

I agree and the big picture depends on the audience.

Scientific communities would be fine with centralized archives such as

SWH. And only centralized archives IMHO can provide a reliable "long

term" support which is the point for that communities. (Quote because

not clearly defined what it is. :-))

Other communities would prefer distributed archive such as IPFS or

GNUnet but 1. it still needs some work and 2. the "long term" is not

guarantee by nature, IMHO. But it is probably not an issue for that

communities.

I agree.

The bridge with SWH is in good shape, IMHO.

And the pending IPFS patch would deserve more love. :-) Maybe soon...

Cheers,

simon

HI Jan,

On Fri, 14 Feb 2020 at 14:24, Jan Nieuwenhuizen <janneke@gnu.org> wrote:

This command

now works.

However, this command

$ guix time-machine \

--commit=56e95d54d209c2428f970d65d9b27ae4168449ad -- help

still fails for me with the message:

The log /var/log/guix/drvs/gg/lbrs8j0iq8ygh55inwfvpwb5z2x254-guile-2.2.4.drv.bz2

is not meaningful for me... but I can report it here.

Well, is it a success or a failure for you?

Cheers,

simon

zimoun writes:

Hi Simon,

For me, pythohn-minimal fails to build

build-started /gnu/store/s0lw23myd3hvpw28sffkhz8b30x1hcz0-python-minimal-3.7.3.drv - x86_64-linux /var/log/guix/drvs/s0//lw23myd3hvpw28sffkhz8b30x1hcz0-python-minimal-3.7.3.drv.bz2 20827

======================================================================

FAIL: test_register_chain (test.test_faulthandler.FaultHandlerTests)

----------------------------------------------------------------------

Traceback (most recent call last):

File "/tmp/guix-build-python-minimal-3.7.3.drv-0/Python-3.7.3/Lib/test/test_faulthandler.py", line 724, in test_register_chain

self.check_register(chain=True)

File "/tmp/guix-build-python-minimal-3.7.3.drv-0/Python-3.7.3/Lib/test/test_faulthandler.py", line 702, in check_register

self.assertEqual(exitcode, 0)

AssertionError: -11 != 0

----------------------------------------------------------------------

Ran 42 tests in 18.782s

FAILED (failures=1, skipped=4)

1 test failed again:

test_faulthandler

== Tests result: FAILURE then FAILURE ==

382 tests OK.

1 test failed:

test_faulthandler

Not sure what to do here. Could this be a (harmless) coincident?

Greetings

janneke

--

Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org

Freelance IT http://JoyofSource.com| Avatar® http://AvatarAcademy.com

Hi,

Some follow ups.

For me, now, the command

does not fail anymore at the Guile step:

because it was about "FAIL: test-out-of-memory".

Well, now, I am failing at the Python 3.7.3 step too:

However, the python error seems about TLS:

Me neither.

Cheers,

simon

Hi,

zimoun <zimon.toutoune@gmail.com> skribis:

It seems to be timing-sensitive, is it deterministic?

One lesson here is that we should keep substitutes for a longer amount

of time—we actually have a lot of storage space on berlin so we should

investigate what happened. (The NixOS folks currently keep substitutes

forever but they found it’s starting to be expensive…)

Thanks,

Ludo’.