From patchwork Sun Feb 16 11:29:34 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Morgan Arnold <morgan.arnold@proton.me>
X-Patchwork-Id: 38732
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id 2746827BBE9; Sun, 16 Feb 2025 11:30:17 +0000 (GMT)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,
	RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE,
	SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id 462EA27BBE2
	for <patchwork@mira.cbaines.net>; Sun, 16 Feb 2025 11:30:15 +0000 (GMT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1tjcqd-0005en-IM; Sun, 16 Feb 2025 06:30:07 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1tjcqb-0005dN-RI
 for guix-patches@gnu.org; Sun, 16 Feb 2025 06:30:05 -0500
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1tjcqa-0001u1-Ij
 for guix-patches@gnu.org; Sun, 16 Feb 2025 06:30:05 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=debbugs.gnu.org; s=debbugs-gnu-org;
 h=MIME-Version:From:Date:To:In-Reply-To:References:Subject;
 bh=9iCX6LLuWhip89We3ANnCNsAyno5FmPYCPTlMRnhXmk=;
 b=niX4FEFLgXyO7+tctP4OYvqD0u4j8lunSF81ZsqidNly6L1f+KH+tppLps+lwSzVZnKQgTPLlKhnrquD4JAT4qkpcLXOMOHVEkrixxV9xEHw4J7AWU2YMFKCOznidm19gH0FmyOIsVik+RPmqML7QJYM8Ge5HGX4/3Lizk6aZSTbnU0Wn7s+ETJrq/rPp40qHc6lU1c4ptDgun+TlHCJcn+wQbenwuHKEa1lMDHXlpxREoLMqAugRpRN1aly2Z1xfYe37m+IvV43Qh4QL1SCOav8kUy0OC6mvKEqSsYCXM2Z6t+b94bSt8ciUQ1xzgJoyQMombv27L/XMdP/YrjYXA==;
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1tjcqZ-0000P3-8H
 for guix-patches@gnu.org; Sun, 16 Feb 2025 06:30:03 -0500
X-Loop: help-debbugs@gnu.org
Subject: [bug#55231] [PATCH] Prevent possible copyright violations caused by
 initrd changes.
References: <87wnf3pv87.fsf@ditto.jhoto.spork.org>
In-Reply-To: <87wnf3pv87.fsf@ditto.jhoto.spork.org>
Resent-From: Morgan Arnold <morgan.arnold@proton.me>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Sun, 16 Feb 2025 11:30:03 +0000
Resent-Message-ID: <handler.55231.B55231.17397053911499@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 55231
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 55231@debbugs.gnu.org
Cc: Morgan Arnold <morgan.arnold@proton.me>
Received: via spool by 55231-submit@debbugs.gnu.org id=B55231.17397053911499
 (code B ref 55231); Sun, 16 Feb 2025 11:30:03 +0000
Received: (at 55231) by debbugs.gnu.org; 16 Feb 2025 11:29:51 +0000
Received: from localhost ([127.0.0.1]:60650 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1tjcqM-0000O7-Ty
 for submit@debbugs.gnu.org; Sun, 16 Feb 2025 06:29:51 -0500
Received: from mail-10629.protonmail.ch ([79.135.106.29]:49009)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <morgan.arnold@proton.me>)
 id 1tjcqJ-0000Nr-Ki
 for 55231@debbugs.gnu.org; Sun, 16 Feb 2025 06:29:48 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me;
 s=protonmail; t=1739705380; x=1739964580;
 bh=9iCX6LLuWhip89We3ANnCNsAyno5FmPYCPTlMRnhXmk=;
 h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
 Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector:
 List-Unsubscribe:List-Unsubscribe-Post;
 b=Z1Wf8A8ZfdLJsp2wvPr4nOrpoXZ71ZgA3MgaGTMrlrcjtcL3awx4K1ex6W0T1q/Ga
 eTD4RO1iACSTEVph1k5JBXKVOShAiGY0Jm06+B23BX80kQGrmQYGt5NhiMHEUi9myo
 F9ufIne57LfUwCz9jCf57fIsiBPm7Pk/jgiYl2XhZUha4SBtLOEAQf+qj/9v1sK3gg
 r69QgcqkdpcHTJ0fMYzrBBEdzvJxePSIm17JKeUjG0g4jbpdwQ61RhRMoUCdgrnQGw
 p+O/gRITV0Cgd0E8cNO+hOBukot/ChA3j7v6vfKMDL9X06yVi7X1mDDEj3dkpVz0WQ
 9y7cUIPfGqogQ==
Date: Sun, 16 Feb 2025 11:29:34 +0000
Message-ID: 
 <04422036fe701cdb2a249819cdfb79284539026f.1739705251.git.morgan.arnold@proton.me>
Feedback-ID: 45510636:user:proton
X-Pm-Message-ID: 3a4779d00eef39831cd1c6cabd0299723ea3e25f
MIME-Version: 1.0
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Reply-to: Morgan Arnold <morgan.arnold@proton.me>
X-ACL-Warn: ,  Morgan Arnold via Guix-patches <guix-patches@gnu.org>
X-Patchwork-Original-From: Morgan Arnold via Guix-patches via
 <guix-patches@gnu.org>
From: Morgan Arnold <morgan.arnold@proton.me>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
X-getmail-retrieved-from-mailbox: Patches

This commit changes the conditions under which derivations, as constructed by the `derivation` function, are made substitutable, to prevent potential copyright violations related to the construction of substitutable initrds including non-substitutable derivations (in particular, ZFS).

This change prevents such copyright violations by only marking a derivation as substitutable if it is marked substitutable and all of its inputs are marked as substitutable. This means that non-substitutable derivations have a "poisoning" effect, preventing derivations which take them as input from being substitutable.

Change-Id: I80ba4a371ee0c55a1294aff311d4e7b151055fac
---
 guix/derivations.scm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)


base-commit: b30669e15d2e8c3d1b74b32f77e2095682aab4ca
prerequisite-patch-id: 45b81fb0e4b05258028b424c6faa9ce11db81572
prerequisite-patch-id: 73d157f088f6ec9e9feece25a7ba6a0c890d6343

diff --git a/guix/derivations.scm b/guix/derivations.scm
index bef98cd..64b51d8 100644
--- a/guix/derivations.scm
+++ b/guix/derivations.scm
@@ -868,6 +868,10 @@ (define* (derivation store name builder args
                                env-vars)
                           #f)))))
 
+  (define inputs-substitutable? (every substitutable-derivation?
+                                       (map derivation-input-derivation
+                                            (filter derivation-input? inputs))))
+
   (define (user+system-env-vars)
     ;; Some options are passed to the build daemon via the env. vars of
     ;; derivations (urgh!).  We hide that from our API, but here is the place
@@ -875,7 +879,7 @@ (define* (derivation store name builder args
     (let ((env-vars `(,@(if local-build?
                             `(("preferLocalBuild" . "1"))
                             '())
-                      ,@(if (not substitutable?)
+                      ,@(if (not (and substitutable? inputs-substitutable?))
                             `(("allowSubstitutes" . "0"))
                             '())
                       ,@(if allowed-references