From 26ab00a0a9c79f85641a305fb13e36476b9a0427 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Wed, 11 Jan 2017 22:40:00 +0100 Subject: [PATCH] perform-download: Add backward-compatible case. This is meant to ease transition for people running an older guix-daemon invoking a recent 'guix perform-download' with only one argument. This is a followup to 9b5364a3afb03414bd6e3ded2fbfdacabe4e8870. * guix/scripts/perform-download.scm (perform-download): Make 'output' optional. Bind 'output*' from DRV's "out" and honor it. (guix-perform-download): Add clause with one argument. --- guix/scripts/perform-download.scm | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/guix/scripts/perform-download.scm b/guix/scripts/perform-download.scm index 58a7377141..59ade0a8c1 100644 --- a/guix/scripts/perform-download.scm +++ b/guix/scripts/perform-download.scm @@ -41,20 +41,23 @@ (define %user-module (module-use! module (resolve-interface '(guix base32))) module)) -(define (perform-download drv output) +(define* (perform-download drv #:optional output) "Perform the download described by DRV, a fixed-output derivation, to OUTPUT. -Note: We don't read the value of 'out' in DRV since the actual output is -different from that when we're doing a 'bmCheck' or 'bmRepair' build." +Note: Unless OUTPUT is #f, we don't read the value of 'out' in DRV since the +actual output is different from that when we're doing a 'bmCheck' or +'bmRepair' build." (derivation-let drv ((url "url") + (output* "out") (executable "executable") (mirrors "mirrors") (content-addressed-mirrors "content-addressed-mirrors")) (unless url (leave (_ "~a: missing URL~%") (derivation-file-name drv))) - (let* ((url (call-with-input-string url read)) + (let* ((output (or output output*)) + (url (call-with-input-string url read)) (drv-output (assoc-ref (derivation-outputs drv) "out")) (algo (derivation-output-hash-algo drv-output)) (hash (derivation-output-hash drv-output))) @@ -94,17 +97,20 @@ (define (guix-perform-download . args) allows us to sidestep bootstrapping problems, such downloading the source code of GnuTLS over HTTPS, before we have built GnuTLS. See ." + + ;; This program must be invoked by guix-daemon under an unprivileged UID to + ;; prevent things downloading from 'file:///etc/shadow' or arbitrary code + ;; execution via the content-addressed mirror procedures. (That means we + ;; exclude users who did not pass '--build-users-group'.) (with-error-handling (match args (((? derivation-path? drv) (? store-path? output)) - ;; This program must be invoked by guix-daemon under an unprivileged - ;; UID to prevent things downloading from 'file:///etc/shadow' or - ;; arbitrary code execution via the content-addressed mirror - ;; procedures. (That means we exclude users who did not pass - ;; '--build-users-group'.) (assert-low-privileges) (perform-download (call-with-input-file drv read-derivation) output)) + (((? derivation-path? drv)) ;backward compatibility + (assert-low-privileges) + (perform-download (call-with-input-file drv read-derivation))) (("--version") (show-version-and-exit)) (x