diff options
| author | Morgan Arnold <morgan.arnold@proton.me> | 2025-03-06 10:16:29 +0000 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2025-06-06 18:41:19 +0200 |
| commit | b5745a327e8dae21caaf10b59256dc7b16d54588 (patch) | |
| tree | 209ab88d1fa10cce5be4d04943a71f25b4a0d0bc | |
| parent | a54f3f3e2ab2e518cbb868fcc909fc7ba6b16f3f (diff) | |
publish: Prevent publication of non-substitutable derivation outputs.
This commit prevents Guix substitute servers from distributing binaries
which are marked non-substitutable. This prevents substitute servers
from accidentally committing copyright violations by distributing
binaries that are non-substitutable for copyright reasons.
* guix/scripts/publish.scm (render-nar): Query the derivers of
‘store-path’ and do nothing if one of them does not match
‘substitutable-derivation?’.
* tests/publish.scm ("non-substitutable derivation"): New test.
Change-Id: Iaca81f5bdb430a12a3ad41e9b83e0bcc535af607
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Modified-by: Ludovic Courtès <ludo@gnu.org>
| -rw-r--r-- | guix/scripts/publish.scm | 8 | ||||
| -rw-r--r-- | tests/publish.scm | 17 |
2 files changed, 23 insertions, 2 deletions
diff --git a/guix/scripts/publish.scm b/guix/scripts/publish.scm index 6f993ef0d6..e9c6933639 100644 --- a/guix/scripts/publish.scm +++ b/guix/scripts/publish.scm @@ -61,6 +61,7 @@ #:use-module (guix cache) #:use-module (guix ui) #:use-module (guix scripts) + #:use-module (guix derivations) #:use-module ((guix utils) #:select (with-atomic-file-output compressed-file?)) #:use-module ((guix build utils) @@ -693,11 +694,14 @@ requested using POOL." (define* (render-nar store request store-item #:key (compression %no-compression)) "Render archive of the store path corresponding to STORE-ITEM." - (let ((store-path (string-append %store-directory "/" store-item))) + (let* ((store-path (string-append %store-directory "/" store-item)) + (derivations (map read-derivation-from-file + (valid-derivers store store-path))) + (substitutable? (every substitutable-derivation? derivations))) ;; The ISO-8859-1 charset *must* be used otherwise HTTP clients will ;; interpret the byte stream as UTF-8 and arbitrarily change invalid byte ;; sequences. - (if (valid-path? store store-path) + (if (and substitutable? (valid-path? store store-path)) (values `((content-type . (application/x-nix-archive (charset . "ISO-8859-1"))) (x-nar-compression . ,compression)) diff --git a/tests/publish.scm b/tests/publish.scm index 3c80c50d51..c8f66b69cd 100644 --- a/tests/publish.scm +++ b/tests/publish.scm @@ -425,6 +425,23 @@ FileSize: ~a~%" (display "This file is not a valid store item." port))) (response-code (http-get (publish-uri (string-append "/nar/invalid")))))) +(test-equal "non-substitutable derivation" + 404 + (let* ((non-substitutable + (run-with-store %store + (gexp->derivation "non-substitutable" + #~(begin + (mkdir #$output) + (chdir #$output) + (call-with-output-file "foo.txt" + (lambda (port) + (display "bar" port)))) + #:substitutable? #f))) + (item (derivation->output-path non-substitutable))) + (build-derivations %store (list non-substitutable)) + (response-code (http-get (publish-uri + (string-append "/nar/" (basename item))))))) + (test-equal "/file/NAME/sha256/HASH" "Hello, Guix world!" (let* ((data "Hello, Guix world!") |