core-updates: url-fetch/tarbomb, url-fetch/zipbomb fail with "unbound variable: invoke"

  • Done
  • quality assurance status badge
Details
4 participants
  • Eric Bavier
  • Leo Famulari
  • Mark H Weaver
  • Glenn Morris
Owner
unassigned
Submitted by
Eric Bavier
Severity
normal
E
E
Eric Bavier wrote on 17 Apr 2018 03:54
(address . bug-guix@gnu.org)(address . mhw@netris.org)
20180416205439.1644149e@centurylink.net
In commit 20927c9331b493eaf94211ad9f8a5055e11b4588
url-fetch/tarbomb and url-fetch/zipbomb in guix/download.scm were
switched to use 'invoke' instead of 'system*'. On core-updates this
leads for me to an error when attempting to build the source for
packages that use these fetch methods. For example, font-text-gyre:

$ ./pre-inst-env guix build -S font-tex-gyre
The following derivation will be built:
/gnu/store/clxzrqzqbn182nrnkpabd8f4kqfw5bna-tg-2.005otf.zip.drv
@ build-started /gnu/store/clxzrqzqbn182nrnkpabd8f4kqfw5bna-tg-2.005otf.zip.drv - x86_64-linux /var/log/guix/drvs/cl//xzrqzqbn182nrnkpabd8f4kqfw5bna-tg-2.005otf.zip.drv.bz2
Backtrace:
3 (primitive-load "/gnu/store/c1r3fzw5mdh9hqydm2ri2rbdsib?")
In ice-9/eval.scm:
196:27 2 (_ #f)
223:20 1 (proc #<directory (guile-user) 7cc140>)
In unknown file:
0 (%resolve-variable (7 . invoke) #<directory (guile-user?>)

ERROR: In procedure %resolve-variable:
Unbound variable: invoke
note: keeping build directory `/tmp/guix-build-tg-2.005otf.zip.drv-2'
builder for `/gnu/store/clxzrqzqbn182nrnkpabd8f4kqfw5bna-tg-2.005otf.zip.drv' failed with exit code 1
@ build-failed /gnu/store/clxzrqzqbn182nrnkpabd8f4kqfw5bna-tg-2.005otf.zip.drv - 1 builder for `/gnu/store/clxzrqzqbn182nrnkpabd8f4kqfw5bna-tg-2.005otf.zip.drv' failed with exit code 1
guix build: error: build failed: build of `/gnu/store/clxzrqzqbn182nrnkpabd8f4kqfw5bna-tg-2.005otf.zip.drv' failed
$

If I revert that commit it succeeds. I suppose the (guix build utils)
module needs to be imported into the builder.

`~Eric
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoMXjUi7471xkzbfw/XPKxxnTJWYFAlrVU98ACgkQ/XPKxxnT
JWbDYA/+IDuERluCBzT4uMKXt61SmVYfl/4agORtEp+YyKJxqv3eDaEM0MPkpdz4
CaV5D63mqs3tTmgNKFc3qAyZ0H0KOexrcOxiTCKlMgYRtMsLfHC3U8pKsU2XeNA6
FXxm+0xaD+IgKbxehv/Of3RfnyQoTea1fOldj2um+DBgbUscGrF1Jw5/CKTMGNJt
cvk2TeVRs3nkuqteP+fDJT9EetfNu8TAoVUpi6/ezx564zDksDgJcPrQ0DKWtP9M
4VTd3jDAQRiZhBVlzTNCxYSzbsSbMpO8Rtvnw5B83rLTCIN6KuA9MH18viJ0Yh+t
3rq+YujXmcb3A5cMGk1XXc6qZMRMFVR2n4W8LWpejmlCwwptSwkfQxfppB6ziGHq
iFI8sni6uPQ27dKL0B0Elgf1R8UAitlkjEpa4ZtNggnIh+niLKpuCDbfkzWk/+GA
mSOBnfHv3bxyFrPlPh/Yvj4F6QXEYqH4s7fzCuSB7FD85kH3THSTGFCSlyJx9cDX
6adkCNfk+M0nMp++sX/fbAdwBqmNq5BBTispn3ETLwVnVpjGygHxPoYkaAJXC/p9
KKO5lBg1hwJlMtBTvhvY7EFAp8UJnfCj/IZdIj0f1I/Bf1JtBqpsxAnanYQXXv08
lwf7B8pasxopxc3OvnbjOzP1GlBM6GnJcIxY97CYzvwhuFiMJKo=
=M6S+
-----END PGP SIGNATURE-----


M
M
Mark H Weaver wrote on 18 Apr 2018 21:42
(name . Eric Bavier)(address . ericbavier@centurylink.net)(address . 31187@debbugs.gnu.org)
871sfci9n7.fsf@netris.org
Hi Eric,

Eric Bavier <ericbavier@centurylink.net> writes:

Toggle quote (6 lines)
> In commit 20927c9331b493eaf94211ad9f8a5055e11b4588
> url-fetch/tarbomb and url-fetch/zipbomb in guix/download.scm were
> switched to use 'invoke' instead of 'system*'. On core-updates this
> leads for me to an error when attempting to build the source for
> packages that use these fetch methods.

[...]

Toggle quote (3 lines)
> If I revert that commit it succeeds. I suppose the (guix build utils)
> module needs to be imported into the builder.

Indeed, you are right. Commit 6c293a809bba57d4363517fa0bd8ebc34247c577
on core-updates should fix this problem. Thanks for the report.

However, let's leave this bug report open for now.

The reason is that debbugs.gnu.org mishandled this report in two ways:

(1) This bug is not listed on https://bugs.gnu.org/guix, although
https://bugs.gnu.org/31187 shows it as an open bug for Guix.

(2) The original bug report was never delivered to me, although I'm
subscribed to <bug-guix@gnu.org>. If Eric hadn't CC'd me on his
original submission, I might not have seen it. I was unable to find
out the bug number until I asked Eric directly, so unfortunately the
commit does not reference the bug number.

I've reported these problems to the FSF sysadmins, and I'd like to give
them an opportunity to diagnose the problem before we change the status
of this bug.

Thanks,
Mark
G
G
Glenn Morris wrote on 18 Apr 2018 23:27
(name . Mark H Weaver)(address . mhw@netris.org)
xjmuy0ryr3.fsf@fencepost.gnu.org
Mark H Weaver wrote:

Toggle quote (3 lines)
> (1) This bug is not listed on https://bugs.gnu.org/guix, although
> <https://bugs.gnu.org/31187> shows it as an open bug for Guix.

There was a problem with the pagination. It's (now) on page 2.

Toggle quote (4 lines)
> (2) The original bug report was never delivered to me, although I'm
> subscribed to <bug-guix@gnu.org>. If Eric hadn't CC'd me on his
> original submission, I might not have seen it.

I would guess that you are subscribed to bug-guix with the "filter out
duplicates" Mailman option, so it is precisely because you were cc'd
that you did not get the mailing list copy (with the bug number).

Toggle quote (3 lines)
> I was unable to find out the bug number until I asked Eric directly,
> so unfortunately the commit does not reference the bug number.

(You could have searched for the bug by subject?)

If Eric had used X-Debbugs-CC instead of Cc in the initial report, the
mail you got would have included the bug number in the subject.
I believe this is well documented (eg on the "how to report a bug"

Toggle quote (4 lines)
> I've reported these problems to the FSF sysadmins, and I'd like to give
> them an opportunity to diagnose the problem before we change the status
> of this bug.

The FSF sysadmins don't maintain debbugs.gnu.org, so the help-debbugs
list would have been better. I (debbugs.gnu.org maintainer) happened to
see your mail although I don't normally read bug-guix.
M
M
Mark H Weaver wrote on 19 Apr 2018 13:33
(name . Glenn Morris)(address . rgm@gnu.org)
8736zrl9bv.fsf@netris.org
Hi Glenn,

Thanks very much for your informative message. I feel embarrassed for
not noticing that there were multiple pages. I rarely use the web
interface, and I guess the projects I've worked tend to have fewer than
400 active bugs.

Glenn Morris <rgm@gnu.org> writes:
Toggle quote (5 lines)
> If Eric had used X-Debbugs-CC instead of Cc in the initial report, the
> mail you got would have included the bug number in the subject.
> I believe this is well documented (eg on the "how to report a bug"
> section on https://debbugs.gnu.org/).

Okay, I will try to remind people to use 'X-Debbugs-CC' instead of 'Cc'
in the future.

Toggle quote (8 lines)
>> I've reported these problems to the FSF sysadmins, and I'd like to give
>> them an opportunity to diagnose the problem before we change the status
>> of this bug.
>
> The FSF sysadmins don't maintain debbugs.gnu.org, so the help-debbugs
> list would have been better. I (debbugs.gnu.org maintainer) happened to
> see your mail although I don't normally read bug-guix.

That was quite fortuitous. Thanks again!

I'm closing this bug now.

Mark
Closed
G
G
Glenn Morris wrote on 22 Apr 2018 02:29
(name . Mark H Weaver)(address . mhw@netris.org)
rma7twaxrx.fsf@fencepost.gnu.org
Mark H Weaver wrote:

Toggle quote (4 lines)
> I feel embarrassed for not noticing that there were multiple pages. I
> rarely use the web interface, and I guess the projects I've worked
> tend to have fewer than 400 active bugs.

No need to feel embarrassed. :)
The results pages feature was broken for projects with 400-500 bugs,
such that bugs over 400 weren't being shown, so there was no second guix
page till I fixed it. Thanks for bringing this to light! :)
L
L
Leo Famulari wrote on 22 Apr 2018 19:41
(name . Glenn Morris)(address . rgm@gnu.org)
20180422174112.GA22903@jasmine.lan
On Sat, Apr 21, 2018 at 08:29:54PM -0400, Glenn Morris wrote:
Toggle quote (11 lines)
> Mark H Weaver wrote:
>
> > I feel embarrassed for not noticing that there were multiple pages. I
> > rarely use the web interface, and I guess the projects I've worked
> > tend to have fewer than 400 active bugs.
>
> No need to feel embarrassed. :)
> The results pages feature was broken for projects with 400-500 bugs,
> such that bugs over 400 weren't being shown, so there was no second guix
> page till I fixed it. Thanks for bringing this to light! :)

I think this is a big milestone for Guix ;)
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlrcyTgACgkQJkb6MLrK
fwjVeQ//arR5qxq2IE9OMcbSVWnrR+rjw824AVamjEoT3afqv5AGHI9qOaDiMHUE
gMRtAscNimWw1U+VxT6oXc/uRwNut847XJTUnOzhYCyGT4nFCwaN/m9MGs1AxlC/
tZ1DraJnaP7z3Afo62vLBL3YDlbvHcQEdSHsgz3ZkOzm+H5YZodDJuK/cnU19k2t
6+vlMRgp/I85AA2ZZmvMbP5KWe3hAHghZKqJL7bmnsthsvcXMNOzTEgJq2WxUtz8
j6NnmlfVfu/S/vC7eXx4MDjoD5FqQF004ZSWWjqgWL6EvkUxk9yIoRqLIaKaVOWj
0aB064fGGz/4Im1dl83kkqDIw6UCkgWOHgfqs4dkXF0jnEMJLzli/ELNI+NWf+rb
bVhJ1drXJYLe8aDeztWB3mrHtowrpvqxgCycXCjmD+M5Vb8/vSzJtwLhKV+kieDX
/2nmq+R+pmgaQzqUNGQffyhM/NE/MwxJVwJnpx+cM/wbFSUwjmQbfQ8Ud71PMEIm
WjRu8RBCCC8R6Us4N9qvXKw3oaVv+Kd8iUedpSrHE4dPzEPGeZAipY1NIW4wCfGC
X2lHvvYntUrBp+kJl432YadWVL5l4yXH2RYODg6S74NzmvftBgHtAQZo42rOfb4Y
T3xqCXNHRWozbLlK28zb3VNALtmpWypxRjBBA/PdQ4wPvnFa4a8=
=TIle
-----END PGP SIGNATURE-----


M
M
Mark H Weaver wrote on 25 Apr 2018 03:32
(name . Glenn Morris)(address . rgm@gnu.org)
87in8g2hpy.fsf@netris.org
Glenn Morris <rgm@gnu.org> writes:

Toggle quote (11 lines)
> Mark H Weaver wrote:
>
>> I feel embarrassed for not noticing that there were multiple pages. I
>> rarely use the web interface, and I guess the projects I've worked
>> tend to have fewer than 400 active bugs.
>
> No need to feel embarrassed. :)
> The results pages feature was broken for projects with 400-500 bugs,
> such that bugs over 400 weren't being shown, so there was no second guix
> page till I fixed it. Thanks for bringing this to light! :)

Ahh, I had misunderstood. Now I feel better.
Thanks for fixing the bug so quickly!

Mark
?