From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Philip Kaludercic Newsgroups: gmane.emacs.devel Subject: Patches for elpa-admin Date: Wed, 13 Apr 2022 08:40:00 +0000 Message-ID: <874k2x8jhb.fsf@posteo.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="33365"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Stefan Monnier To: ELPA Maintainers Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Apr 13 10:42:16 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1neYZr-0008Qc-Oh for ged-emacs-devel@m.gmane-mx.org; Wed, 13 Apr 2022 10:42:15 +0200 Original-Received: from localhost ([::1]:48650 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1neYZq-0007bA-Ae for ged-emacs-devel@m.gmane-mx.org; Wed, 13 Apr 2022 04:42:14 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:33420) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1neYXt-0006jn-5r for emacs-devel@gnu.org; Wed, 13 Apr 2022 04:40:13 -0400 Original-Received: from mout01.posteo.de ([185.67.36.65]:49083) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1neYXq-0005WU-Bh for emacs-devel@gnu.org; Wed, 13 Apr 2022 04:40:12 -0400 Original-Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id DECA1240026 for ; Wed, 13 Apr 2022 10:40:06 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1649839206; bh=AAcxJygzabok41o34eaAigrMU+GkFAOtP9paB6o2t5M=; h=From:To:Cc:Subject:Autocrypt:Date:From; b=I5fbf7hX85FgyVcj6HB0Lvayk15ISO5xHFV2jhy8V4+ktEdMnzhcv5vXiFtlNVUcl lZWiyVFPT2tbU4hEZiDuKe4f+k3czMiLTk7FsweUyyzDiWKUqOkf1JnQNJL77fYqpW AlBZFALsoOOs7eShX3C7kcdqEmPS4itCHBOG6VCRKSqbsUI5IaJD+P7UalJh7UX8K3 LQSHs2cc7Nn5csB/keJorFqcwozYuV9LxURBIpTut2K2dsRXa7a3u2lKcXn5Oqxbms weWolV/8+eY+tSIL4xMddC5Qj1CEEbkJtWNHqDfEDIzzKaRHqP1xiwaHHQzoE7Lpyp Hr3zVdJ3rTkJA== Original-Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Kdbd15bqZz9rxQ; Wed, 13 Apr 2022 10:40:05 +0200 (CEST) Autocrypt: addr=philipk@posteo.net; prefer-encrypt=nopreference; keydata= mDMEYHHqUhYJKwYBBAHaRw8BAQdAp3GdmYJ6tm5McweY6dEvIYIiry+Oz9rU4MH6NHWK0Ee0QlBo aWxpcCBLYWx1ZGVyY2ljIChnZW5lcmF0ZWQgYnkgYXV0b2NyeXB0LmVsKSA8cGhpbGlwa0Bwb3N0 ZW8ubmV0PoiQBBMWCAA4FiEEDM2H44ZoPt9Ms0eHtVrAHPRh1FwFAmBx6lICGwMFCwkIBwIGFQoJ CAsCBBYCAwECHgECF4AACgkQtVrAHPRh1FyTkgEAjlbGPxFchvMbxzAES3r8QLuZgCxeAXunM9gh io0ePtUBALVhh9G6wIoZhl0gUCbQpoN/UJHI08Gm1qDob5zDxnIHuDgEYHHqUhIKKwYBBAGXVQEF AQEHQNcRB+MUimTMqoxxMMUERpOR+Q4b1KgncDZkhrO2ql1tAwEIB4h4BBgWCAAgFiEEDM2H44Zo Pt9Ms0eHtVrAHPRh1FwFAmBx6lICGwwACgkQtVrAHPRh1Fw1JwD/Qo7kvtib8jy7puyWrSv0MeTS g8qIxgoRWJE/KKdkCLEA/jb9b9/g8nnX+UcwHf/4VfKsjExlnND3FrBviXUW6NcB Received-SPF: pass client-ip=185.67.36.65; envelope-from=philipk@posteo.net; helo=mout01.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:288352 Archived-At: --=-=-= Content-Type: text/plain Hi, I attach two patches for elpa-admin: The somewhat recent addition to render markdown caused an error when building a package locally on my system, as the executable "markdown" was not installed. So I gathered a number of implementations and had had `elpaa--section-to-html' use whatever is installed: --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=0001-Avoid-failure-if-no-markdown-compiler-is-installed.patch >From 1cf5914c41dc73f2e62d04f2ee866a352006806c Mon Sep 17 00:00:00 2001 From: Philip Kaludercic Date: Wed, 13 Apr 2022 09:21:34 +0200 Subject: [PATCH 1/2] Avoid failure if no markdown compiler is installed * elpa-admin.el (elpaa--markdown-candidates): Add list of markdown implementations (elpa--markdown-executable): Add function to detect available implementations (elpaa--section-to-html): Use elpa--markdown-executable --- elpa-admin.el | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/elpa-admin.el b/elpa-admin.el index d570c3c6aa..e86b8d3196 100644 --- a/elpa-admin.el +++ b/elpa-admin.el @@ -1257,6 +1257,22 @@ which see." :ext-plist (append '(:html-toplevel-hlevel 3) elpaa--org-export-options))) +(defvar elpaa--markdown-candidates + '("pandoc" "cmark" "marked" "discount" ;ideally + "lowdown" "hoedown" "sundown" "kramdown" ;backup + "markdown.pl" "markdown_py" "md2html.awk" ;fallback + "markdown" ;despair + )) + +(defun elpa--markdown-executable () + (catch 'exists + (dolist (cmd elpaa--markdown-candidates) + (when (executable-find cmd) + (throw 'exists cmd))) + ;; If no markdown compiler is installed, just display + ;; the source without rendering it. + "cat")) + (cl-defmethod elpaa--section-to-html ((section (head text/markdown))) (with-temp-buffer (let ((input-filename @@ -1264,7 +1280,7 @@ which see." (unwind-protect (progn (write-region (cdr section) nil input-filename) - (elpaa--call-sandboxed t "markdown" input-filename)) + (elpaa--call-sandboxed t (elpa--markdown-executable) input-filename)) (delete-file input-filename))) ;; Adjust headings since this HTML fragment will be inserted ;; inside an

section. -- 2.30.2 --=-=-= Content-Type: text/plain As an alternative to bubblewrap, GNU Guix can also be used for sandboxing. It doesn't take much to get it to work and after the package profile has been prepared it is just as quick as bwrap: --=-=-= Content-Type: text/x-diff; charset=utf-8 Content-Disposition: attachment; filename=0002-Support-sandboxing-using-Guix.patch Content-Transfer-Encoding: quoted-printable >From a571b7bd8b6a48b1343f159287bbc8287c0e8b20 Mon Sep 17 00:00:00 2001 From: Philip Kaludercic Date: Wed, 13 Apr 2022 10:29:58 +0200 Subject: [PATCH 2/2] Support sandboxing using Guix * elpa-admin.el (elpaa--sandbox-mechanism): Add new variable. (elpaa-read-config): Allow configuring elpaa--sandbox-mechanism. (elpaa--guix-args): Add new variable, listing all the necessary packages for sandboxing. (elpaa--sandbox-args): Add new generic function to prepare a command. (elpaa--call-sandboxed): Call elpaa--sandbox-args. (elpa--markdown-executable): Check elpaa--sandbox-mechanism to set what markdown compiler to use. --- elpa-admin.el | 44 ++++++++++++++++++++++++++++++++------------ 1 file changed, 32 insertions(+), 12 deletions(-) diff --git a/elpa-admin.el b/elpa-admin.el index e86b8d3196..8efec7bfcf 100644 --- a/elpa-admin.el +++ b/elpa-admin.el @@ -55,6 +55,11 @@ =20 (defvar elpaa--sandbox-extra-ro-dirs nil) =20 +(defvar elpaa--sandbox-mechanism + (cond ((executable-find "guix") 'guix) + ((executable-find "bwrap") 'bwrap)) + "What mechanism to use for sandboxing.") + (defvar elpaa--sandbox ;; Currently sandboxing is implemented using `bwrap' which AFAIK doesn't ;; exist for w32 nor for macos, so there's no point defaulting to non-nil @@ -112,6 +117,7 @@ See variable `org-export-options-alist'.") ('email-from elpaa--email-from) ('email-reply-to elpaa--email-reply-to) ('sandbox elpaa--sandbox) + ('sandbox-mechanism elpaa--sandbox-mechanism) ('sandbox-extra-ro-dirs elpaa--sandbox-extra-ro-dirs) ('doc-dir elpaa--doc-subdirectory) ('debug elpaa--debug)) @@ -954,9 +960,28 @@ The INFILE and DISPLAY arguments are fixed as nil." "--proc" "/proc" "--tmpfs" "/tmp")) =20 +(defconst elpaa--guix-args + '("shell" "--container" "--pure" + ;; List of required packages + "coreutils" "emacs-minimal" "cmark" "texinfo" "make")) + (defvar elpaa--sandbox-ro-binds '("/lib" "/lib64" "/bin" "/usr" "/etc/alternatives" "/etc/emacs")) =20 +(cl-defmethod elpaa--sandbox-args ((_mechaism (eql bwrap)) args) + (let ((dd (expand-file-name default-directory))) ;No `~' allowed! + (setq args (cl-list* "--bind" dd dd args))) + ;; Add read-only dirs in reverse order. + (dolist (b (append elpaa--sandbox-ro-binds elpaa--sandbox-extra-ro-dirs)) + (when (file-exists-p b) ;`brwap' burps on binds that don't exi= st! + (setq b (expand-file-name b)) + (setq args (cl-list* "--ro-bind" b b args)))) + (append (list "bwrap") elpaa--bwrap-args args)) + +(cl-defmethod elpaa--sandbox-args ((_mechaism (eql guix)) args) + ;; Indicate the remaining arguments are the command to be executed. + (append (list "guix") elpaa--guix-args (cons "--" args))) + (defun elpaa--call-sandboxed (destination &rest args) "Like =E2=80=98elpaa--call=E2=80=99 but sandboxed. More specifically, uses Bubblewrap such that the command is @@ -964,18 +989,9 @@ confined to only have write access to the `default-dir= ectory'. Signal an error if the command did not finish with exit code 0." (if (not elpaa--sandbox) (apply #'elpaa--call destination args) - (elpaa--message "call-sandboxed %S" args) - (let ((dd (expand-file-name default-directory))) ;No `~' allowed! - (setq args (nconc `("--bind" ,dd ,dd) args))) - ;; Add read-only dirs in reverse order. - (dolist (b (append elpaa--sandbox-ro-binds - elpaa--sandbox-extra-ro-dirs)) - (when (file-exists-p b) ;`brwap' burps on binds that don't e= xist! - (setq b (expand-file-name b)) - (setq args (nconc `("--ro-bind" ,b ,b) args)))) - (let ((exitcode - (apply #'elpaa--call destination "bwrap" - (append elpaa--bwrap-args args)))) + (elpaa--message "call-sandboxed %S [%S]" args elpaa--sandbox-mechanism) + (let ((exitcode (apply #'elpaa--call destination + (elpaa--sandbox-args elpaa--sandbox-mechanism a= rgs)))) (unless (eq exitcode 0) (if (eq destination t) (error "Error-indicating exit code in elpaa--call-sandboxed:\n= %s" @@ -1266,6 +1282,10 @@ which see." =20 (defun elpa--markdown-executable () (catch 'exists + (when (eq elpaa--sandbox-mechanism 'guix) + ;; When using Guix, we can ensure what markdown implementation + ;; we want to use, so we just return a fixed one here. + (throw 'exists "cmark")) (dolist (cmd elpaa--markdown-candidates) (when (executable-find cmd) (throw 'exists cmd))) --=20 2.30.2 --=-=-= Content-Type: text/plain This approach could also be extended to Nix/nix-shell, but I have no experience with that tool. This might be of interest to anyone using a Macintosh system and interested in isolation, as AFAIK Nix works on those. (On a related note, is it necessary to sandbox markdown rendering? I understand why org can be dangerous, but markdown shouldn't be able to have any side effects?) If these changes are fine, I can push them myself. -- Philip Kaludercic --=-=-=--