From 9b5364a3afb03414bd6e3ded2fbfdacabe4e8870 Mon Sep 17 00:00:00 2001
From: Ludovic Courtès <ludo@gnu.org>
Date: Wed, 11 Jan 2017 17:06:31 +0100
Subject: daemon: Allow check builds of 'builtin:download' derivations.

Fixes <http://bugs.gnu.org/25089>.
Reported by Leo Famulari <leo@famulari.name>.

* nix/libstore/build.cc (DerivationGoal::runChild): In the 'isBuiltin'
case, check whether DRV's output is in 'redirectedOutputs', and pass an
'output' argument to the built-in builder.
(DerivationGoal::addHashRewrite): Add 'printMsg' call.
* nix/libstore/builtins.hh (derivationBuilder): Add 'output' parameter.
* nix/libstore/builtins.cc (builtinDownload): Likewise.
Add OUTPUT to ARGV.
* guix/scripts/perform-download.scm (perform-download): Add 'output'
parameter.
(guix-perform-download): Adjust 'match' clauses accordingly.
* tests/derivations.scm ("'download' built-in builder, check mode"): New
test.
---
 guix/scripts/perform-download.scm | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

(limited to 'guix/scripts/perform-download.scm')

diff --git a/guix/scripts/perform-download.scm b/guix/scripts/perform-download.scm
index 0d2e7089aa..58a7377141 100644
--- a/guix/scripts/perform-download.scm
+++ b/guix/scripts/perform-download.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -19,7 +19,7 @@
 (define-module (guix scripts perform-download)
   #:use-module (guix ui)
   #:use-module (guix derivations)
-  #:use-module ((guix store) #:select (derivation-path?))
+  #:use-module ((guix store) #:select (derivation-path? store-path?))
   #:use-module (guix build download)
   #:use-module (ice-9 match)
   #:export (guix-perform-download))
@@ -41,10 +41,13 @@
     (module-use! module (resolve-interface '(guix base32)))
     module))
 
-(define (perform-download drv)
-  "Perform the download described by DRV, a fixed-output derivation."
+(define (perform-download drv output)
+  "Perform the download described by DRV, a fixed-output derivation, to
+OUTPUT.
+
+Note: We don't read the value of 'out' in DRV since the actual output is
+different from that when we're doing a 'bmCheck' or 'bmRepair' build."
   (derivation-let drv ((url "url")
-                       (output "out")
                        (executable "executable")
                        (mirrors "mirrors")
                        (content-addressed-mirrors "content-addressed-mirrors"))
@@ -93,18 +96,20 @@ of GnuTLS over HTTPS, before we have built GnuTLS.  See
 <http://bugs.gnu.org/22774>."
   (with-error-handling
     (match args
-      (((? derivation-path? drv))
+      (((? derivation-path? drv) (? store-path? output))
        ;; This program must be invoked by guix-daemon under an unprivileged
        ;; UID to prevent things downloading from 'file:///etc/shadow' or
        ;; arbitrary code execution via the content-addressed mirror
        ;; procedures.  (That means we exclude users who did not pass
        ;; '--build-users-group'.)
        (assert-low-privileges)
-       (perform-download (call-with-input-file drv read-derivation)))
+       (perform-download (call-with-input-file drv read-derivation)
+                         output))
       (("--version")
        (show-version-and-exit))
       (x
-       (leave (_ "fixed-output derivation name expected~%"))))))
+       (leave
+        (_ "fixed-output derivation and output file name expected~%"))))))
 
 ;; Local Variables:
 ;; eval: (put 'derivation-let 'scheme-indent-function 2)
-- 
cgit v1.2.3


From 26ab00a0a9c79f85641a305fb13e36476b9a0427 Mon Sep 17 00:00:00 2001
From: Ludovic Courtès <ludo@gnu.org>
Date: Wed, 11 Jan 2017 22:40:00 +0100
Subject: perform-download: Add backward-compatible case.

This is meant to ease transition for people running an older guix-daemon
invoking a recent 'guix perform-download' with only one argument.

This is a followup to 9b5364a3afb03414bd6e3ded2fbfdacabe4e8870.

* guix/scripts/perform-download.scm (perform-download): Make 'output'
optional.  Bind 'output*' from DRV's "out" and honor it.
(guix-perform-download): Add clause with one argument.
---
 guix/scripts/perform-download.scm | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

(limited to 'guix/scripts/perform-download.scm')

diff --git a/guix/scripts/perform-download.scm b/guix/scripts/perform-download.scm
index 58a7377141..59ade0a8c1 100644
--- a/guix/scripts/perform-download.scm
+++ b/guix/scripts/perform-download.scm
@@ -41,20 +41,23 @@
     (module-use! module (resolve-interface '(guix base32)))
     module))
 
-(define (perform-download drv output)
+(define* (perform-download drv #:optional output)
   "Perform the download described by DRV, a fixed-output derivation, to
 OUTPUT.
 
-Note: We don't read the value of 'out' in DRV since the actual output is
-different from that when we're doing a 'bmCheck' or 'bmRepair' build."
+Note: Unless OUTPUT is #f, we don't read the value of 'out' in DRV since the
+actual output is different from that when we're doing a 'bmCheck' or
+'bmRepair' build."
   (derivation-let drv ((url "url")
+                       (output* "out")
                        (executable "executable")
                        (mirrors "mirrors")
                        (content-addressed-mirrors "content-addressed-mirrors"))
     (unless url
       (leave (_ "~a: missing URL~%") (derivation-file-name drv)))
 
-    (let* ((url        (call-with-input-string url read))
+    (let* ((output     (or output output*))
+           (url        (call-with-input-string url read))
            (drv-output (assoc-ref (derivation-outputs drv) "out"))
            (algo       (derivation-output-hash-algo drv-output))
            (hash       (derivation-output-hash drv-output)))
@@ -94,17 +97,20 @@ the daemon and not explicitly described as an input of the derivation.  This
 allows us to sidestep bootstrapping problems, such downloading the source code
 of GnuTLS over HTTPS, before we have built GnuTLS.  See
 <http://bugs.gnu.org/22774>."
+
+  ;; This program must be invoked by guix-daemon under an unprivileged UID to
+  ;; prevent things downloading from 'file:///etc/shadow' or arbitrary code
+  ;; execution via the content-addressed mirror procedures.  (That means we
+  ;; exclude users who did not pass '--build-users-group'.)
   (with-error-handling
     (match args
       (((? derivation-path? drv) (? store-path? output))
-       ;; This program must be invoked by guix-daemon under an unprivileged
-       ;; UID to prevent things downloading from 'file:///etc/shadow' or
-       ;; arbitrary code execution via the content-addressed mirror
-       ;; procedures.  (That means we exclude users who did not pass
-       ;; '--build-users-group'.)
        (assert-low-privileges)
        (perform-download (call-with-input-file drv read-derivation)
                          output))
+      (((? derivation-path? drv))                 ;backward compatibility
+       (assert-low-privileges)
+       (perform-download (call-with-input-file drv read-derivation)))
       (("--version")
        (show-version-and-exit))
       (x
-- 
cgit v1.2.3