diff options
Diffstat (limited to 'guix')
-rw-r--r-- | guix/scripts/perform-download.scm | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/guix/scripts/perform-download.scm b/guix/scripts/perform-download.scm index 58a7377141..59ade0a8c1 100644 --- a/guix/scripts/perform-download.scm +++ b/guix/scripts/perform-download.scm @@ -41,20 +41,23 @@ (module-use! module (resolve-interface '(guix base32))) module)) -(define (perform-download drv output) +(define* (perform-download drv #:optional output) "Perform the download described by DRV, a fixed-output derivation, to OUTPUT. -Note: We don't read the value of 'out' in DRV since the actual output is -different from that when we're doing a 'bmCheck' or 'bmRepair' build." +Note: Unless OUTPUT is #f, we don't read the value of 'out' in DRV since the +actual output is different from that when we're doing a 'bmCheck' or +'bmRepair' build." (derivation-let drv ((url "url") + (output* "out") (executable "executable") (mirrors "mirrors") (content-addressed-mirrors "content-addressed-mirrors")) (unless url (leave (_ "~a: missing URL~%") (derivation-file-name drv))) - (let* ((url (call-with-input-string url read)) + (let* ((output (or output output*)) + (url (call-with-input-string url read)) (drv-output (assoc-ref (derivation-outputs drv) "out")) (algo (derivation-output-hash-algo drv-output)) (hash (derivation-output-hash drv-output))) @@ -94,17 +97,20 @@ the daemon and not explicitly described as an input of the derivation. This allows us to sidestep bootstrapping problems, such downloading the source code of GnuTLS over HTTPS, before we have built GnuTLS. See <http://bugs.gnu.org/22774>." + + ;; This program must be invoked by guix-daemon under an unprivileged UID to + ;; prevent things downloading from 'file:///etc/shadow' or arbitrary code + ;; execution via the content-addressed mirror procedures. (That means we + ;; exclude users who did not pass '--build-users-group'.) (with-error-handling (match args (((? derivation-path? drv) (? store-path? output)) - ;; This program must be invoked by guix-daemon under an unprivileged - ;; UID to prevent things downloading from 'file:///etc/shadow' or - ;; arbitrary code execution via the content-addressed mirror - ;; procedures. (That means we exclude users who did not pass - ;; '--build-users-group'.) (assert-low-privileges) (perform-download (call-with-input-file drv read-derivation) output)) + (((? derivation-path? drv)) ;backward compatibility + (assert-low-privileges) + (perform-download (call-with-input-file drv read-derivation))) (("--version") (show-version-and-exit)) (x |