From mboxrd@z Thu Jan  1 00:00:00 1970
From: ng0 <ng0@infotropique.org>
Subject: Re: Fetching patches as origins instead of copying them into the
	Guix Git repo
Date: Fri, 1 Sep 2017 10:03:30 +0000
Message-ID: <20170901100330.sv2tlt5jm4adc7gr@abyayala>
References: <87inh5uqpd.fsf@gmail.com> <87inh4lw7y.fsf@fastmail.com>
	<87y3q0ow9h.fsf@gmail.com> <87k21jjyzy.fsf@fastmail.com>
	<20170831213806.GA22308@jasmine.lan> <87shg7l812.fsf@fastmail.com>
	<20170901095800.xp5pjshodj53im6v@abyayala>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="dwz6okqj3qmtqx2t"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39060)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ng0@infotropique.org>) id 1dnio9-0003sl-OW
	for guix-devel@gnu.org; Fri, 01 Sep 2017 06:04:18 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ng0@infotropique.org>) id 1dnio5-0008K3-Ev
	for guix-devel@gnu.org; Fri, 01 Sep 2017 06:04:13 -0400
Received: from aibo.runbox.com ([91.220.196.211]:34330)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <ng0@infotropique.org>)
	id 1dnio5-0008JK-7x
	for guix-devel@gnu.org; Fri, 01 Sep 2017 06:04:09 -0400
Content-Disposition: inline
In-Reply-To: <20170901095800.xp5pjshodj53im6v@abyayala>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Marius Bakke <mbakke@fastmail.com>, Leo Famulari <leo@famulari.name>, guix-devel@gnu.org


--dwz6okqj3qmtqx2t
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

ng0 transcribed 2.4K bytes:
> Marius Bakke transcribed 1.4K bytes:
> > Leo Famulari <leo@famulari.name> writes:
> >=20
> > > On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote:
> > >> Side note: I think we should start adding patches as origins instead=
 of
> > >> copying them wholesale, to try and keep the git repository slim.
> > >
> > > We should make a git-minimal package for things like this, or use
> > > guile-git / libgit2. Git itself is a very "heavy" package.
> >=20
> > No, I mean adding patches like this:
> >=20
> > (define %CVE-1970-0001.patch
> >   (origin
> >     (method url-fetch)
> >     (uri "https://example.com/CVE-2017-0001.patch")
> >     (sha256
> >      (base32
> >       "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k"))))
> >=20
> > (package
> >  (...
> >   (patches (list (search-patch "guix-specific-stuff.patch")
> >                  %CVE-1970-0001.patch)))
> >=20
> > That only requires the built-in guix downloader.
>=20
> I think we should reduce connections we have to make
> and assume that patches could disappear.
> I keep patches and sources around in offline and
> online ways because of this. If a source should
> disappear I could fall back to my storage.
>=20
> For cases like our icecat the patches are already
> fetched because they come directly from the upstream
> repository as far as I remember. That's okay.

Actually in cases of cgit, github, gitlab, and maybe
some other git focused web instances we can do what
icecat does or just use URLs like:
https://git.gnome.org/browse/libxml2/snapshot/libxml2-92b9e8c8b3787068565a1=
820ba575d042f9eec66.tar.xz
I think it's okay to fetch CVE patches like this
because they come directly from upstream commits
and we know the hash of the file.
--=20
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://n0is.noblogs.org/my-keys
https://www.infotropique.org https://krosos.org

--dwz6okqj3qmtqx2t
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlmpMHIACgkQ4i+bv+40
hYgRmA/9GYBaPQKXNEPfYPr3/PKLQ201su+enB9Y1wIJWpaTVKIYFMXaiTNcLYHX
30Ixex3naF7H3iUEL0Blb1KrYVusDhNcLO7uIZyaDTvfTnT/IJBWNQQDbFiSCy/y
wLrwG5834NS1l8YsGnYalaI3eRrbQpAQsUJ5hWmM6qrb2OaeksNkEG/gQXduATW4
L6ZDskmumC1ks4MnPpt7CC+e2XLUQ+rgOsncY+NlHiEogEHKffCB0K6VKkn1Je/6
6g1//4DUkwPh/E60JvxJrKv15FTQwzakxig+wquosZcrs5byDdgQgpz3gJyReuEv
C78B5C66b+VTqAqQJN5VMV4MaY96cNjtCEzmeLHnWH68jChBGj6LL8xuLBJF+Q0W
SI9uOrawOHrZfcYH9ERDoMZEJehCf7ONUXkm4n1v4KKwNeQAAbRCqRnATZq05Qnv
ZSdqEBHJVCVI5hOh7ydF133RyljJVIbuODonaEVWu62Tvi0momxI2FlLjudP9jiF
oqTx1Rl7i/d+kZKvIOsxkhJAt1GTP7ij6qZq0RTfhM0rawIl8qgZqKlQbhbiWfam
gC/zprhyqr2Jl5NAwn9YSy9DUoBNICMcBUTF274t2UPAXc/378QIW0hnO2xKFnG3
kBzCIM20VHfQCa/YbUfruV+8VwPdUZoc+s1RezAA4hRknbpE1dI=
=DBOW
-----END PGP SIGNATURE-----

--dwz6okqj3qmtqx2t--