publish: Prevent publication of non-substitutable derivation outputs.

This commit prevents Guix substitute servers from distributing binaries which are marked non-substitutable. This prevents substitute servers from accidentally committing copyright violations by distributing binaries that are non-substitutable for copyright reasons. * guix/scripts/publish.scm (render-nar): Query the derivers of ‘store-path’ and do nothing if one of them does not match ‘substitutable-derivation?’. * tests/publish.scm ("non-substitutable derivation"): New test. Change-Id: Iaca81f5bdb430a12a3ad41e9b83e0bcc535af607 Signed-off-by: Ludovic Courtès <ludo@gnu.org> Modified-by: Ludovic Courtès <ludo@gnu.org>
2025-10-02 02:15:12 +00:00 · 2025-03-06 10:16:29 +00:00 · 2025-03-06 10:16:29 +00:00 · b5745a327e
commit b5745a327e
parent a54f3f3e2a
2 changed files with 23 additions and 2 deletions
--- a/guix/scripts/publish.scm
+++ b/guix/scripts/publish.scm
@ -61,6 +61,7 @@
  #:use-module (guix cache)
  #:use-module (guix ui)
  #:use-module (guix scripts)
+  #:use-module (guix derivations)
  #:use-module ((guix utils)
                #:select (with-atomic-file-output compressed-file?))
  #:use-module ((guix build utils)
@ -693,11 +694,14 @@ requested using POOL."
 (define* (render-nar store request store-item
                     #:key (compression %no-compression))
  "Render archive of the store path corresponding to STORE-ITEM."
-  (let ((store-path (string-append %store-directory "/" store-item)))
+  (let* ((store-path (string-append %store-directory "/" store-item))
+         (derivations (map read-derivation-from-file
+                           (valid-derivers store store-path)))
+         (substitutable? (every substitutable-derivation? derivations)))
    ;; The ISO-8859-1 charset *must* be used otherwise HTTP clients will
    ;; interpret the byte stream as UTF-8 and arbitrarily change invalid byte
    ;; sequences.
-    (if (valid-path? store store-path)
+    (if (and substitutable? (valid-path? store store-path))
        (values `((content-type . (application/x-nix-archive
                                   (charset . "ISO-8859-1")))
                  (x-nar-compression . ,compression))
--- a/tests/publish.scm
+++ b/tests/publish.scm
@ -425,6 +425,23 @@ FileSize: ~a~%"
        (display "This file is not a valid store item." port)))
    (response-code (http-get (publish-uri (string-append "/nar/invalid"))))))

+(test-equal "non-substitutable derivation"
+  404
+  (let* ((non-substitutable
+          (run-with-store %store
+            (gexp->derivation "non-substitutable"
+                              #~(begin
+                                  (mkdir #$output)
+                                  (chdir #$output)
+                                  (call-with-output-file "foo.txt"
+                                    (lambda (port)
+                                      (display "bar" port))))
+                              #:substitutable? #f)))
+         (item (derivation->output-path non-substitutable)))
+    (build-derivations %store (list non-substitutable))
+    (response-code (http-get (publish-uri
+                              (string-append "/nar/" (basename item)))))))
+
 (test-equal "/file/NAME/sha256/HASH"
  "Hello, Guix world!"
  (let* ((data "Hello, Guix world!")