| 18 Feb 2025 |
 apteryx | hello! would someone know if there ever was a bug in the nix daemon where a package with the allowSubstitutes bit disabled could in fact, be substituted? I'm seeing this in Guix, which uses the Nix daemon from ~2012 (more context on the problem: https://issues.guix.gnu.org/41602) | 13:06:55 |
 Sandro 🐧 | good that you have that on the radar. Was going to ask about that | 14:08:09 |
|  mra joined the room. | 15:21:41 |
 jade_ | In reply to @woobilicious:matrix.org
jade_: thanks, I could have a look at opening a PR, but I'm not really an expert in C++ so might take me a while to figure out how to write a patch. https://gerrit.lix.systems/c/lix/+/2578/2 this is the vague shape of the patch, fresh in mind because i just wrote one yesterday for something else | 17:03:15 |
| jade_ | In reply to @apteryx:matrix.org
hello! would someone know if there ever was a bug in the nix daemon where a package with the allowSubstitutes bit disabled could in fact, be substituted? I'm seeing this in Guix, which uses the Nix daemon from ~2012 (more context on the problem: https://issues.guix.gnu.org/41602) i am so sorry. um. looking at the modernized nix daemon's substitution loop etc makes me want to cry at the best of times and a nix daemon from 2012 is going to be no better. i would suggest the debug logs actually, assuming they existed at the time; they do tell you what the state machine did.
also recommended: --store $PWD/store so you can trivially wipe it between tries and not need to debug the daemon at all by not having one involved
| 17:07:46 |
| mra | In reply to @jade_:matrix.org
i am so sorry. um. looking at the modernized nix daemon's substitution loop etc makes me want to cry at the best of times and a nix daemon from 2012 is going to be no better. i would suggest the debug logs actually, assuming they existed at the time; they do tell you what the state machine did.
also recommended: --store $PWD/store so you can trivially wipe it between tries and not need to debug the daemon at all by not having one involved thanks Jade! | 17:11:43 |
| mra | oh I guess I haven't clarified that I am involved in this lol | 17:12:10 |
| jade_ | also recommended --max-jobs 0 | 17:12:24 |
| jade_ | the expected behaviour in such a case is that it will actually fail without the very modern --always-allow-substitutes set, which has an egregiously bad error message also | 17:13:09 |
| jade_ | * | 17:13:28 |
| jade_ | if that's not what happens, your daemon has diverged from the modern ones | 17:14:02 |
| jade_ | also if you want to not deal with an evaluator you can probably nix-copy-closure the drv files into $PWD/store before beginning the test substitution | 17:14:47 |
 Robert Hensing (roberth) | and https://github.com/NixOS/nix/pull/12503, to be upstreamed into nixpkgs too | 18:42:27 |
 emily | mra: fwiw our side of the ecosystem is on the way towards deprecating allowSubstitutes = false; (hence --always-allow-substitutes etc.) as not really useful in practice | 22:40:38 |
| emily | not sure whether Guix would have an easier time phasing it out than us, but if so it might be worth considering rather than fixing | 22:41:15 |
| emily | (I thought Guix had rewritten the daemon, 2012 nix-daemon sounds scary…) | 22:41:45 |
| emily | (there's been a good few CVEs since then) | 22:41:46 |
 ElvishJerricco | Why is it not really useful? | 23:19:32 |
| emily | there's a bunch of discussion in https://github.com/NixOS/nix/issues/4442 | 23:20:23 |
| emily | and tl;dr rationale in https://github.com/NixOS/nix/pull/8047 https://github.com/NixOS/nix/issues/3686 | 23:21:04 |
| emily | (mostly it just does not seem like "whether you can fetch a built result from a substituter" should be within the purview of a derivation anyway. hints to prefer building on a local machine are one thing) | 23:21:40 |
| jade_ | guessing it is probably because guix cares far, far too mucha tremendous amount about licensing and so stuff like zfs integrated into a linux kernel is not something they consider ok to substitute | 23:21:58 |
| emily | I somewhat doubt Guix has a zfs.ko package to begin with | 23:24:23 |
| emily | but in this case the bug report was about TeX Live | 23:24:29 |
| emily | (I'd expect hydraPlatforms/license to be disjoint from allowSubstitutes anyway? but I have no idea how they do things in Guixland :) ) | 23:25:14 |
| 19 Feb 2025 |
| apteryx | there is one in the zfs package (its 'module' output). and indeed, looking into this is motivated by being able to reliably prevent fetching binaries which could constitute copyright violations, such as the combination of GPLv2 only linux modules with the zfs CDDL in a binary initrd, for example. | 01:24:25 |
| apteryx | and the texlive issue (where apparently we aren't able to control that the way we thought it should work) appeared related, or worrying in that context :-) | 01:25:21 |
| apteryx | Thanks for the pointers! It seems our 'guix-daemon' binary doesn't expose a --store argument :-/ | 01:32:19 |
| apteryx | We do have --max-jobs though | 01:32:38 |
| apteryx | I'll try setting it to 0 and see what it does. So far I'm following the daemon execution flow in GDB | 01:33:58 |
