Nixpkgs: Impossible to build expat

Created on 13 Oct 2019  路  13Comments  路  Source: NixOS/nixpkgs

Issue description

Is not possible to install python3 anymore from nixos-19.09

Steps to reproduce

nix-env -i python3
(Recompiling the whole deal, if you download the package it will work I guess.)

Why?

This URL now returns 404:
https://sources.debian.org/data/main/e/expat/2.2.7-2/debian/patches/CVE-2019-15903_Deny_internal_entities_closing_the_doctype.patch

It is used here: https://github.com/NixOS/nixpkgs/blob/release-19.09/pkgs/development/libraries/expat/default.nix#L14

bug reproducible builds
Source
picture siscia
👍2

Most helpful comment

I can't see sufficient motivation to change the version... or even cause any rebuild. I just relocated the patch.

picture vcunat on 7 Nov 2019
1 👍1

All 13 comments

Don't use nix-env -i python3. Instead, use an attribute path, nix-env -iA python3. Notice the A.

Other than that, this is a valid issue.

FRidh picture FRidh on 14 Oct 2019

Thanks for the feedback! But why?

siscia picture siscia on 14 Oct 2019

Without -A Nix searches based on the package name, which is ambigious. E.g., we have multiple python3 packages.

FRidh picture FRidh on 14 Oct 2019
👍1

So... Can we cherry-pick the master branch of expat into the 19.09? (I am assuming the master branch works)

Should I do it myself?

siscia picture siscia on 16 Oct 2019

More importantly! How do we test that after the change everything still works? We just re-trigger a big build for everything that depends on expat (which is a lot of stuff) ?

siscia picture siscia on 16 Oct 2019

Broken by https://github.com/NixOS/nixpkgs/commit/604acd44f75b1d25a64f89df131218d2a7ed8144
cc @vcunat

veprbl picture veprbl on 7 Nov 2019

I can't see sufficient motivation to change the version... or even cause any rebuild. I just relocated the patch.

vcunat picture vcunat on 7 Nov 2019
1 👍1

I moved to unstable for this reason.

Anyway, I believe that having stuff like python3 broken in a tagged release is somehow bad and kind of a big deal...

siscia picture siscia on 7 Nov 2019

Broken in what way? I'm not aware of any real breakage: https://hydra.nixos.org/job/nixos/release-19.09/nixpkgs.python3.x86_64-linux

vcunat picture vcunat on 8 Nov 2019

Wait, python3 has expat as dependency.

You just fix expat. Before your fix, the URL of the patch was returning 404, hence I opened the issue.

The expat used in those builds must have been cached for the days the original URL was available.

Am I wrong?

siscia picture siscia on 8 Nov 2019

I think the patch itself was in the binary cache

these paths will be fetched (0.00 MiB download, 0.00 MiB unpacked):
  /nix/store/y90p1vnkkmk24svdwfbc5kh4rdiv5si9-CVE-2019-15903.patch
copying path '/nix/store/y90p1vnkkmk24svdwfbc5kh4rdiv5si9-CVE-2019-15903.patch' from 'https://cache.nixos.org'...

I assume you use a different /nix/store location or something else that's preventing you from substituting the patch.

vcunat picture vcunat on 8 Nov 2019
👍1

Yes indeed I am rebuild everything for unrelated reasons.

Glad that it is clarified!

siscia picture siscia on 8 Nov 2019
👍1

I think I hit this same issue, but instead of reporting the 404 error, nix-build reported:

hash mismatch in fixed-output derivation '/usr/nix/store/6mj7pwq5crlwfzp30xghjicgaj4s5q0z-CVE-2019-15903.patch':
  wanted: sha256:0lv4392ihpk71fgaf1fz03gandqkaqisal8xrzvcqnvnq4mnmwxp
  got:    sha256:0mvszmxbfzgs1d5fgpssgx8n1vcpry70d03glkp0cznpdygy0sjr

Is this expected behavior or a bug?

leonschoorl picture leonschoorl on 26 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

yawnt picture yawnt  路  3Comments
ghost picture ghost  路  3Comments
vaibhavsagar picture vaibhavsagar  路  3Comments
ayyess picture ayyess  路  3Comments
lverns picture lverns  路  3Comments