Cabal: unpack doesn't preserve (executable) permissions
Bug description
cabal unpack doesn't preserve permissions of executable files.
To Reproduce
$ curl https://hackage.haskell.org/package/hhwloc-0.2.0/hhwloc-0.2.0.tar.gz > hhwloc-0.2.0.tar.gz
$ cabal unpack hhwloc-0.2.0.tar.gz
$ ll hhwloc-0.2.0/hwloc/autogen.sh
shows autogen.sh's permissions to be -rw-r--r--, while
$ curl https://hackage.haskell.org/package/hhwloc-0.2.0/hhwloc-0.2.0.tar.gz > hhwloc-0.2.0.tar.gz
$ tar -xzf hhwloc-0.2.0.tar.gz
$ ll hhwloc-0.2.0/hwloc/autogen.sh
shows them to be -rwxr-xr-x, which are the original permissions.
Expected behavior
Permissions to be preserved.
System information
- macOS, linux
cabal 3.0.0.0,ghc 8.8.2
Additional context
- this seems like a regression since https://github.com/haskell/cabal/issues/620#issuecomment-5892697
- the hackage CI build of my package fails because of this.
dtaskoff
All 12 comments
See #6454 and #5813. Most likely we'll make sdist create tarballs without executable bits for files, and make unpacking also not set anything executable.
- distributing native binaries is most likely wrong
- and script files can be run with their respective interpreter
I.e. not setting bits on unpacking is by design.
phadej
on 27 Jan 2020
I agree that distributing native binaries is wrong, however, one will not always be able to modify existing scripts.
Anyway, if you decide to go the -x way, it'd be nice if the behaviour is documented somewhere.
dtaskoff
on 29 Jan 2020
@dtaskoff this is partly due to tar, viz. https://github.com/haskell/tar/issues/25
vmchale
on 11 Feb 2020
* and script files can be run with their respective interpreter
I don't think that's fair, because the shebang might contain additional information and is now ignored.
I.e. not setting bits on unpacking is by design.
It's a bug ;)
hasufell
on 19 Feb 2020
sdist creates files without executable bits, so this issue is obsoleted.
phadej
on 13 Jul 2020
@phadej so how do you figure out which interpreter to use? Eg whether a script is a posix, shell or ksh script? They'll likely have the same extension (or none). Parse the shebang?
hasufell
on 13 Jul 2020
Maintainer of package should know which kind of script they are writing. (or python or ruby or ...)
phadej
on 13 Jul 2020
Maintainer of package should know which kind of script they are writing. (or python or ruby or ...)
Scripts may be "data files" and used by users as well.
hasufell
on 13 Jul 2020
Scripts may be "data files" and used by users as well.
In cabal nix-style setup user barely see tarballs. I argue that if "bigger" package is assembled and distributed then cabal sdist and cabal unpack are wrong tools to do it. As far as I see it, Hackage is for Haskell code. Write auxiliary scripts as Haskell executables, and there will be no problems (ok, different problems).
Also it is data-files, not code-files.
Don't speculate. If you have real use-case, it would be helpful. The OP case, users can be advised to call sh .../autogen.sh and IMO it's fair trade-off for the simplicity of implementation in Cabal / cabal-install. For cabal-install the reproducibility of packaging (e.g. on Windows compared to Linux) is more important.
phadej
on 13 Jul 2020
@phadej so if the tar package is fixed (because it is a bug there), you will adjust the cabal-install code? The current behavior relies on a bug to be present. I suggest cabal-install explicitly removes the executable bits then.
hasufell
on 13 Jul 2020
Yes, we should be explicit on unpack too. PR welcome.
phadej
on 13 Jul 2020
Yes, we should be explicit on unpack too. PR welcome.
Maybe, but then again, we shouldn't use tar at all. It is unmaintained and has major issues: it's easy to break cabal sdist if you know about tar's shortcomings, such as missing long filepath support (or broken unicode support).
hasufell
on 18 Jul 2020
Related issues
quasicomputational
路
4Comments
duog
路
4Comments
asr
路
3Comments
tfausak
路
4Comments
menelaos
路
3Comments
Most helpful comment
I don't think that's fair, because the shebang might contain additional information and is now ignored.
It's a bug ;)