From: Philip Kaludercic <philipk@posteo.net>
To: ELPA Maintainers <emacs-devel@gnu.org>
Cc: Stefan Monnier <monnier@iro.umontreal.ca>
Subject: Patches for elpa-admin
Date: Wed, 13 Apr 2022 08:40:00 +0000 [thread overview]
Message-ID: <874k2x8jhb.fsf@posteo.net> (raw)
[-- Attachment #1: Type: text/plain, Size: 310 bytes --]
Hi,
I attach two patches for elpa-admin:
The somewhat recent addition to render markdown caused an error when
building a package locally on my system, as the executable "markdown"
was not installed. So I gathered a number of implementations and
had had `elpaa--section-to-html' use whatever is installed:
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Avoid-failure-if-no-markdown-compiler-is-installed.patch --]
[-- Type: text/x-diff, Size: 1937 bytes --]
From 1cf5914c41dc73f2e62d04f2ee866a352006806c Mon Sep 17 00:00:00 2001
From: Philip Kaludercic <philipk@posteo.net>
Date: Wed, 13 Apr 2022 09:21:34 +0200
Subject: [PATCH 1/2] Avoid failure if no markdown compiler is installed
* elpa-admin.el (elpaa--markdown-candidates): Add list of markdown implementations
(elpa--markdown-executable): Add function to detect available implementations
(elpaa--section-to-html): Use elpa--markdown-executable
---
elpa-admin.el | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/elpa-admin.el b/elpa-admin.el
index d570c3c6aa..e86b8d3196 100644
--- a/elpa-admin.el
+++ b/elpa-admin.el
@@ -1257,6 +1257,22 @@ which see."
:ext-plist (append '(:html-toplevel-hlevel 3)
elpaa--org-export-options)))
+(defvar elpaa--markdown-candidates
+ '("pandoc" "cmark" "marked" "discount" ;ideally
+ "lowdown" "hoedown" "sundown" "kramdown" ;backup
+ "markdown.pl" "markdown_py" "md2html.awk" ;fallback
+ "markdown" ;despair
+ ))
+
+(defun elpa--markdown-executable ()
+ (catch 'exists
+ (dolist (cmd elpaa--markdown-candidates)
+ (when (executable-find cmd)
+ (throw 'exists cmd)))
+ ;; If no markdown compiler is installed, just display
+ ;; the source without rendering it.
+ "cat"))
+
(cl-defmethod elpaa--section-to-html ((section (head text/markdown)))
(with-temp-buffer
(let ((input-filename
@@ -1264,7 +1280,7 @@ which see."
(unwind-protect
(progn
(write-region (cdr section) nil input-filename)
- (elpaa--call-sandboxed t "markdown" input-filename))
+ (elpaa--call-sandboxed t (elpa--markdown-executable) input-filename))
(delete-file input-filename)))
;; Adjust headings since this HTML fragment will be inserted
;; inside an <h2> section.
--
2.30.2
[-- Attachment #3: Type: text/plain, Size: 195 bytes --]
As an alternative to bubblewrap, GNU Guix can also be used for
sandboxing. It doesn't take much to get it to work and after the
package profile has been prepared it is just as quick as bwrap:
[-- Attachment #4: 0002-Support-sandboxing-using-Guix.patch --]
[-- Type: text/x-diff, Size: 4753 bytes --]
From a571b7bd8b6a48b1343f159287bbc8287c0e8b20 Mon Sep 17 00:00:00 2001
From: Philip Kaludercic <philipk@posteo.net>
Date: Wed, 13 Apr 2022 10:29:58 +0200
Subject: [PATCH 2/2] Support sandboxing using Guix
* elpa-admin.el (elpaa--sandbox-mechanism): Add new variable.
(elpaa-read-config): Allow configuring elpaa--sandbox-mechanism.
(elpaa--guix-args): Add new variable, listing all the necessary
packages for sandboxing.
(elpaa--sandbox-args): Add new generic function to prepare a command.
(elpaa--call-sandboxed): Call elpaa--sandbox-args.
(elpa--markdown-executable): Check elpaa--sandbox-mechanism to set
what markdown compiler to use.
---
elpa-admin.el | 44 ++++++++++++++++++++++++++++++++------------
1 file changed, 32 insertions(+), 12 deletions(-)
diff --git a/elpa-admin.el b/elpa-admin.el
index e86b8d3196..8efec7bfcf 100644
--- a/elpa-admin.el
+++ b/elpa-admin.el
@@ -55,6 +55,11 @@
(defvar elpaa--sandbox-extra-ro-dirs nil)
+(defvar elpaa--sandbox-mechanism
+ (cond ((executable-find "guix") 'guix)
+ ((executable-find "bwrap") 'bwrap))
+ "What mechanism to use for sandboxing.")
+
(defvar elpaa--sandbox
;; Currently sandboxing is implemented using `bwrap' which AFAIK doesn't
;; exist for w32 nor for macos, so there's no point defaulting to non-nil
@@ -112,6 +117,7 @@ See variable `org-export-options-alist'.")
('email-from elpaa--email-from)
('email-reply-to elpaa--email-reply-to)
('sandbox elpaa--sandbox)
+ ('sandbox-mechanism elpaa--sandbox-mechanism)
('sandbox-extra-ro-dirs elpaa--sandbox-extra-ro-dirs)
('doc-dir elpaa--doc-subdirectory)
('debug elpaa--debug))
@@ -954,9 +960,28 @@ The INFILE and DISPLAY arguments are fixed as nil."
"--proc" "/proc"
"--tmpfs" "/tmp"))
+(defconst elpaa--guix-args
+ '("shell" "--container" "--pure"
+ ;; List of required packages
+ "coreutils" "emacs-minimal" "cmark" "texinfo" "make"))
+
(defvar elpaa--sandbox-ro-binds
'("/lib" "/lib64" "/bin" "/usr" "/etc/alternatives" "/etc/emacs"))
+(cl-defmethod elpaa--sandbox-args ((_mechaism (eql bwrap)) args)
+ (let ((dd (expand-file-name default-directory))) ;No `~' allowed!
+ (setq args (cl-list* "--bind" dd dd args)))
+ ;; Add read-only dirs in reverse order.
+ (dolist (b (append elpaa--sandbox-ro-binds elpaa--sandbox-extra-ro-dirs))
+ (when (file-exists-p b) ;`brwap' burps on binds that don't exist!
+ (setq b (expand-file-name b))
+ (setq args (cl-list* "--ro-bind" b b args))))
+ (append (list "bwrap") elpaa--bwrap-args args))
+
+(cl-defmethod elpaa--sandbox-args ((_mechaism (eql guix)) args)
+ ;; Indicate the remaining arguments are the command to be executed.
+ (append (list "guix") elpaa--guix-args (cons "--" args)))
+
(defun elpaa--call-sandboxed (destination &rest args)
"Like ‘elpaa--call’ but sandboxed.
More specifically, uses Bubblewrap such that the command is
@@ -964,18 +989,9 @@ confined to only have write access to the `default-directory'.
Signal an error if the command did not finish with exit code 0."
(if (not elpaa--sandbox)
(apply #'elpaa--call destination args)
- (elpaa--message "call-sandboxed %S" args)
- (let ((dd (expand-file-name default-directory))) ;No `~' allowed!
- (setq args (nconc `("--bind" ,dd ,dd) args)))
- ;; Add read-only dirs in reverse order.
- (dolist (b (append elpaa--sandbox-ro-binds
- elpaa--sandbox-extra-ro-dirs))
- (when (file-exists-p b) ;`brwap' burps on binds that don't exist!
- (setq b (expand-file-name b))
- (setq args (nconc `("--ro-bind" ,b ,b) args))))
- (let ((exitcode
- (apply #'elpaa--call destination "bwrap"
- (append elpaa--bwrap-args args))))
+ (elpaa--message "call-sandboxed %S [%S]" args elpaa--sandbox-mechanism)
+ (let ((exitcode (apply #'elpaa--call destination
+ (elpaa--sandbox-args elpaa--sandbox-mechanism args))))
(unless (eq exitcode 0)
(if (eq destination t)
(error "Error-indicating exit code in elpaa--call-sandboxed:\n%s"
@@ -1266,6 +1282,10 @@ which see."
(defun elpa--markdown-executable ()
(catch 'exists
+ (when (eq elpaa--sandbox-mechanism 'guix)
+ ;; When using Guix, we can ensure what markdown implementation
+ ;; we want to use, so we just return a fixed one here.
+ (throw 'exists "cmark"))
(dolist (cmd elpaa--markdown-candidates)
(when (executable-find cmd)
(throw 'exists cmd)))
--
2.30.2
[-- Attachment #5: Type: text/plain, Size: 459 bytes --]
This approach could also be extended to Nix/nix-shell, but I have no
experience with that tool. This might be of interest to anyone using a
Macintosh system and interested in isolation, as AFAIK Nix works on
those.
(On a related note, is it necessary to sandbox markdown rendering? I
understand why org can be dangerous, but markdown shouldn't be able to
have any side effects?)
If these changes are fine, I can push them myself.
--
Philip Kaludercic
next reply other threads:[~2022-04-13 8:40 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-13 8:40 Philip Kaludercic [this message]
2022-04-15 4:01 ` Patches for elpa-admin Stefan Monnier
2022-04-15 7:18 ` Philip Kaludercic
2022-04-15 14:40 ` Stefan Monnier
2022-04-15 15:05 ` Brian Cully
2022-04-15 15:44 ` Philip Kaludercic
2022-04-15 15:37 ` Philip Kaludercic
2022-05-21 11:38 ` Philip Kaludercic
2022-05-31 8:37 ` Philip Kaludercic
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874k2x8jhb.fsf@posteo.net \
--to=philipk@posteo.net \
--cc=emacs-devel@gnu.org \
--cc=monnier@iro.umontreal.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).