bug#54812: ‘guix system reconfigure’ closes SSH connections

[Christine Lemmer-Webber]

Ludovic Courtès  writes:

> Ludovic Courtès  skribis:
>
>> With OpenSSH turned into inetd style in commit
>> 808b9e850491c7b1d867a5f1f4d5ee6f61f345d4, the service upgrade code used
>> by ‘guix system reconfigure’ and ‘guix deploy’ wrongfully decides that
>> the ‘sshd-*’ transient services corresponding to individual SSH
>> connections should be closed:
>
> Fixed with:
>
>   eeb8ac43c8 services: shepherd: Do not unload transient services.
>   a2c759c830 services: herd: Report whether a service is transient.
>
> Ludo’.

Hm.  I'm getting this issue.  I did a guix pull locally, on the
server... doesn't seem to make a difference.  I get the very error
reported above when using "guix deploy".

I guess others aren't?  I wonder why I am...

 - Christine

bug#55415: emacs-minimal-28.1-builder: Unknown # object: "#<"

[Maxime Devos]

> Re: bug#55415: emacs-minimal-28.1-builder: Unknown # object: "#<"

Unverified solution: replace this ...

(arguments
 (substitute-keyword-arguments (package-arguments emacs)
   ((#:configure-flags flags ''())
`(list "--with-gnutls=no" "--disable-build-details"))
   ((#:phases phases)
`(modify-phases ,phases
   (delete 'restore-emacs-pdmp)
   (delete 'strip-double-wrap)

by

(arguments
 (substitute-keyword-arguments (package-arguments emacs)
   ((#:configure-flags flags ''())
#~(list "--with-gnutls=no" "--disable-build-details"))
   ((#:phases phases)
#~(modify-phases #$phases
(delete 'restore-emacs-pdmp)
(delete 'strip-double-wrap)

in the package definition of 'emacs-minimal'.  The other package
variants of emacs would also needs this change.  The change to
#:configure-flags is probably unnecessary but I think it's nice for
consistency.

Greetings,
Maxime.


signature.asc
Description: This is a digitally signed message part

bug#55415: emacs-minimal-28.1-builder: Unknown # object: "#<"

[Fredrik Salomonsson]

Hi,

Getting this error when I try and update my emacs profile after a recent
guix pull:

---8<---
substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0%
substitute: updating substitutes from 'https://bordeaux.guix.gnu.org'... 100.0%
The following derivations will be built:
  /gnu/store/jwm349jkbx675lsgkgvlgvyyzg89v4vf-emacs-async-1.9.4.drv
  /gnu/store/ah6zl6vdns20nwdhahsspnnbxdr4j0bn-emacs-minimal-28.1.drv
building /gnu/store/ah6zl6vdns20nwdhahsspnnbxdr4j0bn-emacs-minimal-28.1.drv...
ice-9/read.scm:126:4: In procedure read-expr*:
/gnu/store/4i6avyj1sf50dmyg1242grbfacwgm4sa-emacs-minimal-28.1-builder:1:2852: 
Unknown # object: "#<"
builder for 
`/gnu/store/ah6zl6vdns20nwdhahsspnnbxdr4j0bn-emacs-minimal-28.1.drv' failed 
with exit code 1
build of /gnu/store/ah6zl6vdns20nwdhahsspnnbxdr4j0bn-emacs-minimal-28.1.drv 
failed
View build log at 
'/var/log/guix/drvs/ah/6zl6vdns20nwdhahsspnnbxdr4j0bn-emacs-minimal-28.1.drv.gz'.
cannot build derivation 
`/gnu/store/jwm349jkbx675lsgkgvlgvyyzg89v4vf-emacs-async-1.9.4.drv': 1 
dependencies couldn't be built
guix build: error: build of 
`/gnu/store/jwm349jkbx675lsgkgvlgvyyzg89v4vf-emacs-async-1.9.4.drv' failed
--->8---

I have narrowed it down to commit
64557bc695f074af3fcf1eeed8f6696921ef18c5

I have commented out my third party channels (flatwhatson and my own plt
channel) and it still fails.

Here is a repro:

guix describe --format=channels:

---8<---
(list (channel
(name 'guix)
(url "https://git.savannah.gnu.org/git/guix.git;)
(branch #f)
(commit
  "64557bc695f074af3fcf1eeed8f6696921ef18c5")
(introduction
  (make-channel-introduction
"9edb3f66fd807b096b48283debdcddccfea34bad"
(openpgp-fingerprint
  "BBB0 2DDF 2CEA F6A8 0D1D  E643 A2A0 6DF2 A33A 54FA")
-->8---

Run:

guix pull --commit=64557bc695
guix build emacs-async

I'm on a foreign distro if that makes any difference.

Thanks.

-- 
s/Fred[re]+i[ck]+/Fredrik/g

bug#55335: openssh-service no longer listens on IPv6

[Jack Hill]

On Sat, 14 May 2022, Ludovic Courtès wrote:


Hi,

Thinking about it, what do you think is the risk of using AF_INET6
unconditionally?

AFAICS it just works.  Is there a switch somewhere that might affect
that behavior?


Yes, I beleive that it's in sysctl:

```
$ sysctl net.ipv6.bindv6only
net.ipv6.bindv6only = 0
```

If enabled, the v6 socket wouldn't work for v4. Disabled is the default on 
Guix System. I don't know what would happen if v6 were disabled entirely. 
Hopefully that's not something we have to worry about in 2022.


HTH,
Jack

bug#53594: no matching pattern #

[Ludovic Courtès]

Hello,

The failing code is at gexp.scm:901:23, which corresponds to this:

  (mlet %store-monad ((obj (lower-object thing system
 #:target
 (and (not native?)
  target
901:(return (match obj
  ((? derivation? drv)
   (derivation-input drv (list output)))
  ((? store-item? item)
   item)
  ((? self-quoting?)
   ;; Some inputs such as  can lower to
   ;; a self-quoting object that FILTERM will filter
   ;; out.
   #f

That means (lower-object polkit) returned polkit (the package object)
instead of a derivation, hence ‘match-error’.

This is normally impossible: ‘lower-object’ calls ‘package->derivation’,
which returns a derivation.  But maybe something weird is happening when
‘build-derivations’ aborts to the build-handler prompt, or when the
continuation is eventually resumed; maybe the object cache gets
“poisoned” with an incorrect value during that process.

So far the only reproducer we have seems to be along the lines of: grab
the ISO, run ‘guix pull’ (if it’s the 1.3.0 ISO; if it’s a fresh ISO,
that’s not necessary), run ‘guix system init’, watch it crash.

Does anyone have a simpler reproducer?

To be continued…

Ludo’.

bug#55335: openssh-service no longer listens on IPv6

[Ludovic Courtès]

Hi,

Christopher Baines  skribis:

> Switching to listing via IPv6 should support IPv4 connections, as Linux is
> capable of translating IPv4 connections to IPv6. I think there's a risk that
> switching to this approach will affect some uses of the openssh
> service. Therefore, this commit makes this a configuration option, which is #f
> by default.

[...]

> +   (make-socket-address #$(if (openssh-listen-via-ipv6? 
> config)
> +  #~AF_INET6
> +  #~AF_INET)
> +INADDR_ANY
>  #$port-number)

Thinking about it, what do you think is the risk of using AF_INET6
unconditionally?

AFAICS it just works.  Is there a switch somewhere that might affect
that behavior?

(I still think that changing ‘make-inetd-constructor’ to accept multiple
addresses is a better fix longer-term, but if we can have this quick
fix, that’s great.)

Ludo’.

bug#52577: ‘guix lint’ throws an ugly backtrace if the GitHub updater receives “rate limit exceeded” error

[Ludovic Courtès]

Hi,

Xinglu Chen  skribis:

> When running ‘guix lint -c refresh’ on a package hosted on GitHub, I get
> an ugly backtrace when the GitHub rate limit has been reached.
>
> $ guix lint pipewire

[...]

>1428:5  5 (check-for-updates #)
> 771:2  4 (call-with-networking-fail-safe _ _ _)
> In ice-9/boot-9.scm:
>   1752:10  3 (with-exception-handler _ _ #:unwind? _ # _)
>   1685:16  2 (raise-exception _ #:continuable? _)
>   1683:16  1 (raise-exception _ #:continuable? _)
>   1685:16  0 (raise-exception _ #:continuable? _)
>
> ice-9/boot-9.scm:1685:16: In procedure raise-exception:
> ERROR:
>   1. :
>   uri: #< scheme: https userinfo: #f host: "api.github.com" port: #f 
> path: "/repos/PipeWire/pipewire/releases" query: #f fragment: #f>
>   code: 403
>   reason: "rate limit exceeded"
>   2. : "https://api.github.com/repos/PipeWire/pipewire/releases: HTTP 
> download failed: 403 (\"rate limit exceeded\")"

This was fixed in March with commit
55e8e283ae398cc476e50e822383797c5f43db4c.

Closing!

Ludo’.

bug#55335: openssh-service no longer listens on IPv6

[Ludovic Courtès]

Hi,

Christopher Baines  skribis:

> Prior to the switch to the openssh service using inetd, you could connect over
> IPv4 or IPv6. With inetd, you can only connect over IPv4, meaning for machines
> with just IPv6 connectivity, you can't connect.
>
> Switching to listing via IPv6 should support IPv4 connections, as Linux is
> capable of translating IPv4 connections to IPv6. I think there's a risk that
> switching to this approach will affect some uses of the openssh
> service. Therefore, this commit makes this a configuration option, which is #f
> by default.
>
> In the future, once it's easy to do so via Guile and the shepherd, it would be
> good if two sockets were used, one for IPv4 and one for IPv6. That's not easy
> at the moment, as the IPv6 socket conflicts with the IPv4 one, due to the
> translation behaviour described above.

Yes, I was going to suggest turning the ‘address’ argument of
‘make-inetd-constructor’ into ‘addresses’ (plural), with backward
compatibility.  For sshd, we’d do:

 (make-inetd-constructor
  (append #$openssh-command '("-i"))
  (list (make-socket-address AF_INET INADDR_ANY #$port-number)
(make-socket-address AF_INET6 INADDR_ANY #$port-number)))

It’s not that simple, due to the v6-to-v4 translation you mention:

--8<---cut here---start->8---
scheme@(guile-user)> (define v4 (make-socket-address AF_INET INADDR_ANY ))
scheme@(guile-user)> (define v6 (make-socket-address AF_INET6 INADDR_ANY ))
scheme@(guile-user)> (define s4 (socket AF_INET SOCK_STREAM 0))
scheme@(guile-user)> (define s6 (socket AF_INET6 SOCK_STREAM 0))
scheme@(guile-user)> (bind s4 v4)
scheme@(guile-user)> (bind s6 v6)
ice-9/boot-9.scm:1685:16: In procedure raise-exception:
In procedure bind: Address already in use

Entering a new prompt.  Type `,bt' for a backtrace or `,q' to continue.
--8<---cut here---end--->8---

… but it can be made to work:

--8<---cut here---start->8---
scheme@(guile-user)> (define s4 (socket AF_INET SOCK_STREAM 0))
scheme@(guile-user)> (define s6 (socket AF_INET6 SOCK_STREAM 0))
scheme@(guile-user)> (define IPPROTO_IPV6 41)
scheme@(guile-user)> (define IPV6_V6ONLY 26)
scheme@(guile-user)> (setsockopt s6 IPPROTO_IPV6 IPV6_V6ONLY 1)
scheme@(guile-user)> (bind s4 v4)
scheme@(guile-user)> (bind s6 v6)
--8<---cut here---end--->8---

So ‘make-inetd-constructor’ would interpret v6 addresses as v6-only,
with the understanding that the caller has to explicitly pass all the
relevant addresses.

Thoughts?

We could release Shepherd shortly with the fixes that have accumulated.
The service in Guix would be able to use it, but only if PID 1 is recent
enough.

Thanks,
Ludo’.

bug#54752: import: hackage: `elif` conditionals not supported

[Lars-Dominik Braun]

Hi Philip,

> Since Cabal 2.2 conditional blocks support the `elif` construct [0], but our 
> hackage importer does not currently support such expressions. This causes 
> importing packages like `raaz` [1] to fail.
attached patch series fixes the import for `raaz` by adding support for
elif and other minor adjustments. There still is syntax we do not support,
most importantly mixed indentation, which is already documented as xfail
via a testcase. I’m adding a few more.

Could you have a look please if these make sense?

Cheers,
Lars

>From 6b47c1d399922b60dafa01105daa1b7ea3da3935 Mon Sep 17 00:00:00 2001
From: Lars-Dominik Braun 
Date: Sat, 30 Apr 2022 15:38:44 +0200
Subject: [PATCH 1/5] import: cabal: Support elif statement.

* guix/import/cabal.scm (make-cabal-parser): Replace if-then-else grammar case 
with elif-else, modify if-then accordingly.
(is-elif): New procedure.
(lex-elif): Likewise.
(is-id): Add elif keyword.
(lex-word): Add test for elif.
* tests/hackage.scm (test-cabal-if): New variale.
(test-cabal-else): Likewise.
(test-cabal-elif): Likewise.
(test-cabal-elif-brackets): Likewise.
(match-ghc-elif): Likewise.
("hackage->guix-package test lonely if statement",
"hackage->guix-package test else statement",
"hackage->guix-package test elif statement",
"hackage->guix-package test elif statement with brackets"): New tests.
---
 guix/import/cabal.scm |  63 ++
 tests/hackage.scm | 102 ++
 2 files changed, 136 insertions(+), 29 deletions(-)

diff --git a/guix/import/cabal.scm b/guix/import/cabal.scm
index 98d7234098..e1a082a31a 100644
--- a/guix/import/cabal.scm
+++ b/guix/import/cabal.scm
@@ -149,7 +149,7 @@ (define (make-cabal-parser)
(right: IF FLAG EXEC TEST-SUITE CUSTOM-SETUP SOURCE-REPO BENCHMARK 
LIB COMMON OCURLY)
(left: OR)
(left: PROPERTY AND)
-   (right: ELSE NOT))
+   (right: ELIF ELSE NOT))
;; --- rules
(body(properties sections)   : (append $1 $2))
(sections(sections flags): (append $1 $2)
@@ -193,32 +193,32 @@ (define (make-cabal-parser)
 (LIB open exprs close): `(section library ,$3))
(exprs   (exprs PROPERTY) : (append $1 (list $2))
 (PROPERTY)   : (list $1)
-(exprs if-then-else) : (append $1 (list $2))
-(if-then-else)   : (list $1)
-(exprs if-then)  : (append $1 (list $2))
-(if-then): (list $1))
-   (if-then-else (IF tests OCURLY exprs CCURLY ELSE OCURLY exprs CCURLY)
- : `(if ,$2 ,$4 ,$8)
- (IF tests open exprs close ELSE OCURLY exprs CCURLY)
- : `(if ,$2 ,$4 ,$8)
- ;; The 'open' token after 'tests' is shifted after an 'exprs'
- ;; is found.  This is because, instead of 'exprs' a 'OCURLY'
- ;; token is a valid alternative.  For this reason, 'open'
- ;; pushes a  with a line indentation equal to
- ;; the indentation of 'exprs'.
- ;;
- ;; Differently from this, without the rule above this
- ;; comment, when an 'ELSE' token is found, the 'open' token
- ;; following the 'ELSE' would be shifted immediately, before
- ;; the 'exprs' is found (because there are no other valid
- ;; tokens).  The 'open' would therefore create a
- ;;  with the indentation of 'ELSE' and not
- ;; 'exprs', creating an inconsistency.  We therefore allow
- ;; mixed style conditionals.
- (IF tests open exprs close ELSE open exprs close)
- : `(if ,$2 ,$4 ,$8))
-   (if-then (IF tests OCURLY exprs CCURLY) : `(if ,$2 ,$4 ())
-(IF tests open exprs close): `(if ,$2 ,$4 ()))
+(exprs elif-else)  : (append $1 (list ($2 '(()
+(elif-else): (list ($1 '(()
+   ;; LALR(1) parsers prefer to be left-recursive, which make if-statements 
slightly involved.
+   ;; XXX: This technically allows multiple else statements.
+   (elif-else   (elif-else ELIF tests OCURLY exprs CCURLY) : (lambda (y) ($1 
(list (append (list 'if $3 $5) y
+(elif-else ELIF tests open exprs close) : (lambda (y) ($1 
(list (append (list 'if $3 $5) y
+(elif-else ELSE OCURLY exprs CCURLY) : (lambda (y) ($1 (list 
$4)))
+;; The 'open' token after 'tests' is shifted after an 'exprs'
+;; is found.  This is because, instead of 'exprs' a 'OCURLY'
+;; token is a valid alternative.  For this reason, 'open'
+;; pushes a  with a line indentation equal to
+;; the indentation of 'exprs'.
+;;
+;; Differently from this, without the 

bug#55335: openssh-service no longer listens on IPv6

[Ludovic Courtès]

Hi,

Jack Hill  skribis:

> However, while ssh is now able to connect to the socket, something is
> going wrong in the handoff to sshd. I see the following message
> printed on the console when trying to connect:
>
> Uncaught exception in task:
> In fibers.scm:
>   150:8 4 (_)
> In shepherd/service.scm:
>   1435:21 3 (_)
>   1280:30 2 (socket-address->string #(10 # 37896 0 0))
> In unknown file:
>   1 (inet-ntop 2 42540578165178177408896616697074944157)
> In ice-9/boot-9.scm:
>   1685:16 0 (raise-exception _ #:continualbe? _)
> ice-9/boot-9.scm:1685:16: In procecure raise-exception:
> Value our of range 0 to 18446744073709551615: 
> 42540578165178177408896616697074944157

Oops, another embarrassing bug, now fixed in Shepherd commit
27dd4df9d83e9c59668bd9e6ca05a3a4983e10d2.

Thanks,
Ludo’.

bug#55406: GUIX Image API: wrong fs type and flag

[Pavel Shlyak]

I have a scheme code like

(define rpi-boot-partition
(partition
(size (* 128 (expt 2 20)))
(label "BOOT")
(file-system "vfat")
(flags '())
(initializer (gexp initialize-efi-partition

(define rpi-root-partition
(partition
(size 'guess)
(label "RASPIROOT")
(file-system "ext4")
(flags '(boot))
(initializer (gexp initialize-root-partition

(define raspberry-pi-image
(image
(format 'disk-image)
(partitions (list rpi-boot-partition rpi-root-partition

The output is like that:
$ fdisk -l 
/gnu/store/hnsfs5a161f5hvymg7ar541qrml62yvv-raspberry-pi-barebones-raw-image
Device Boot Start End Sectors Size Id Type
/gnu/store/hnsfs5a161f5hvymg7ar541qrml62yvv-raspberry-pi-barebones-raw-image1 1 
262144 262144 128M 83 Linux
/gnu/store/hnsfs5a161f5hvymg7ar541qrml62yvv-raspberry-pi-barebones-raw-image2 
262145 3583688 3321544 1.6G 83 Linux  

No boot flag is set on the first partition. The file system seems to be 
incorrect (ext* instead of vfat)

bug#55405: Image API produces incorrect images

[Pavel Shlyak]

I have a scheme code like

(define rpi-boot-partition
(partition
(size (* 128 (expt 2 20)))
(label "BOOT")
(file-system "vfat")
(flags '())
(initializer (gexp initialize-efi-partition

(define rpi-root-partition
(partition
(size 'guess)
(label "RASPIROOT")
(file-system "ext4")
(flags '(boot))
(initializer (gexp initialize-root-partition

(define raspberry-pi-image
(image
(format 'disk-image)
(partitions (list rpi-boot-partition rpi-root-partition

The output is like that:
$ fdisk -l 
/gnu/store/hnsfs5a161f5hvymg7ar541qrml62yvv-raspberry-pi-barebones-raw-image
Device
Boot  Start End Sectors  Size Id Type
/gnu/store/hnsfs5a161f5hvymg7ar541qrml62yvv-raspberry-pi-barebones-raw-image1   
1  262144  262144  128M 83 Linux
/gnu/store/hnsfs5a161f5hvymg7ar541qrml62yvv-raspberry-pi-barebones-raw-image2   
   262145 3583688 3321544  1.6G 83 Linux

No boot flag is set on the first partition. The file system seems to be 
incorrect (ext* instead of vfat)