Fetching patches as origins instead of copying them into the Guix Git repo

Fetching patches as origins instead of copying them into the Guix Git repo

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 329 bytes --]

On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote:
> Side note: I think we should start adding patches as origins instead of
> copying them wholesale, to try and keep the git repository slim.

We should make a git-minimal package for things like this, or use
guile-git / libgit2. Git itself is a very "heavy" package.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Fetching patches as origins instead of copying them into the Guix Git repo

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 790 bytes --]

Leo Famulari <leo@famulari.name> writes:

> On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote:
>> Side note: I think we should start adding patches as origins instead of
>> copying them wholesale, to try and keep the git repository slim.
>
> We should make a git-minimal package for things like this, or use
> guile-git / libgit2. Git itself is a very "heavy" package.

No, I mean adding patches like this:

(define %CVE-1970-0001.patch
  (origin
    (method url-fetch)
    (uri "https://example.com/CVE-2017-0001.patch")
    (sha256
     (base32
      "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k"))))

(package
 (...
  (patches (list (search-patch "guix-specific-stuff.patch")
                 %CVE-1970-0001.patch)))

That only requires the built-in guix downloader.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: Fetching patches as origins instead of copying them into the Guix Git repo

[ng0]

[-- Attachment #1: Type: text/plain, Size: 1447 bytes --]

Marius Bakke transcribed 1.4K bytes:
> Leo Famulari <leo@famulari.name> writes:
> 
> > On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote:
> >> Side note: I think we should start adding patches as origins instead of
> >> copying them wholesale, to try and keep the git repository slim.
> >
> > We should make a git-minimal package for things like this, or use
> > guile-git / libgit2. Git itself is a very "heavy" package.
> 
> No, I mean adding patches like this:
> 
> (define %CVE-1970-0001.patch
>   (origin
>     (method url-fetch)
>     (uri "https://example.com/CVE-2017-0001.patch")
>     (sha256
>      (base32
>       "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k"))))
> 
> (package
>  (...
>   (patches (list (search-patch "guix-specific-stuff.patch")
>                  %CVE-1970-0001.patch)))
> 
> That only requires the built-in guix downloader.

I think we should reduce connections we have to make
and assume that patches could disappear.
I keep patches and sources around in offline and
online ways because of this. If a source should
disappear I could fall back to my storage.

For cases like our icecat the patches are already
fetched because they come directly from the upstream
repository as far as I remember. That's okay.
-- 
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://n0is.noblogs.org/my-keys
https://www.infotropique.org https://krosos.org

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Fetching patches as origins instead of copying them into the Guix Git repo

[ng0]

[-- Attachment #1: Type: text/plain, Size: 1931 bytes --]

ng0 transcribed 2.4K bytes:
> Marius Bakke transcribed 1.4K bytes:
> > Leo Famulari <leo@famulari.name> writes:
> > 
> > > On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote:
> > >> Side note: I think we should start adding patches as origins instead of
> > >> copying them wholesale, to try and keep the git repository slim.
> > >
> > > We should make a git-minimal package for things like this, or use
> > > guile-git / libgit2. Git itself is a very "heavy" package.
> > 
> > No, I mean adding patches like this:
> > 
> > (define %CVE-1970-0001.patch
> >   (origin
> >     (method url-fetch)
> >     (uri "https://example.com/CVE-2017-0001.patch")
> >     (sha256
> >      (base32
> >       "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k"))))
> > 
> > (package
> >  (...
> >   (patches (list (search-patch "guix-specific-stuff.patch")
> >                  %CVE-1970-0001.patch)))
> > 
> > That only requires the built-in guix downloader.
> 
> I think we should reduce connections we have to make
> and assume that patches could disappear.
> I keep patches and sources around in offline and
> online ways because of this. If a source should
> disappear I could fall back to my storage.
> 
> For cases like our icecat the patches are already
> fetched because they come directly from the upstream
> repository as far as I remember. That's okay.

Actually in cases of cgit, github, gitlab, and maybe
some other git focused web instances we can do what
icecat does or just use URLs like:
https://git.gnome.org/browse/libxml2/snapshot/libxml2-92b9e8c8b3787068565a1820ba575d042f9eec66.tar.xz
I think it's okay to fetch CVE patches like this
because they come directly from upstream commits
and we know the hash of the file.
-- 
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://n0is.noblogs.org/my-keys
https://www.infotropique.org https://krosos.org

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Fetching patches as origins instead of copying them into the Guix Git repo

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 980 bytes --]

On Thu, Aug 31, 2017 at 11:52:25PM +0200, Marius Bakke wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote:
> >> Side note: I think we should start adding patches as origins instead of
> >> copying them wholesale, to try and keep the git repository slim.
> >
> > We should make a git-minimal package for things like this, or use
> > guile-git / libgit2. Git itself is a very "heavy" package.
> 
> No, I mean adding patches like this:
> 
> (define %CVE-1970-0001.patch
>   (origin
>     (method url-fetch)
>     (uri "https://example.com/CVE-2017-0001.patch")
>     (sha256
>      (base32
>       "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k"))))
> 
> (package
>  (...
>   (patches (list (search-patch "guix-specific-stuff.patch")
>                  %CVE-1970-0001.patch)))
> 
> That only requires the built-in guix downloader.

Ah, that's much better than what I was thinking.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Fetching patches as origins instead of copying them into the Guix Git repo

[Alex Vong]

[-- Attachment #1: Type: text/plain, Size: 1025 bytes --]

Marius Bakke <mbakke@fastmail.com> writes:

> Leo Famulari <leo@famulari.name> writes:
>
>> On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote:
>>> Side note: I think we should start adding patches as origins instead of
>>> copying them wholesale, to try and keep the git repository slim.
>>
>> We should make a git-minimal package for things like this, or use
>> guile-git / libgit2. Git itself is a very "heavy" package.
>
> No, I mean adding patches like this:
>
> (define %CVE-1970-0001.patch
>   (origin
>     (method url-fetch)
>     (uri "https://example.com/CVE-2017-0001.patch")
>     (sha256
>      (base32
>       "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k"))))
>
> (package
>  (...
>   (patches (list (search-patch "guix-specific-stuff.patch")
>                  %CVE-1970-0001.patch)))
>
> That only requires the built-in guix downloader.

Are you suggesting we should download the patch directly from upstream
or security advisory if they provide it and fall back to copying if they
don't?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Fetching patches as origins instead of copying them into the Guix Git repo

[Ludovic Courtès]

Hello,

Marius Bakke <mbakke@fastmail.com> skribis:

> Leo Famulari <leo@famulari.name> writes:
>
>> On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote:
>>> Side note: I think we should start adding patches as origins instead of
>>> copying them wholesale, to try and keep the git repository slim.

[...]

> No, I mean adding patches like this:
>
> (define %CVE-1970-0001.patch
>   (origin
>     (method url-fetch)
>     (uri "https://example.com/CVE-2017-0001.patch")
>     (sha256
>      (base32
>       "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k"))))
>
> (package
>  (...
>   (patches (list (search-patch "guix-specific-stuff.patch")
>                  %CVE-1970-0001.patch)))
>
> That only requires the built-in guix downloader.

I agree, I did that a few times for this reason.

Once I did that for Coreutils, fetching the patch via a Cgit URL at
Savannah, and somehow that URL went broken at some later point, which
was annoying.  But in general, it shouldn’t be worse than source URLs
that go 404.

Ludo’.

Re: Fetching patches as origins instead of copying them into the Guix Git repo

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 1382 bytes --]

Alex Vong <alexvong1995@gmail.com> writes:

> Marius Bakke <mbakke@fastmail.com> writes:
>
>> Leo Famulari <leo@famulari.name> writes:
>>
>>> On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote:
>>>> Side note: I think we should start adding patches as origins instead of
>>>> copying them wholesale, to try and keep the git repository slim.
>>>
>>> We should make a git-minimal package for things like this, or use
>>> guile-git / libgit2. Git itself is a very "heavy" package.
>>
>> No, I mean adding patches like this:
>>
>> (define %CVE-1970-0001.patch
>>   (origin
>>     (method url-fetch)
>>     (uri "https://example.com/CVE-2017-0001.patch")
>>     (sha256
>>      (base32
>>       "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k"))))
>>
>> (package
>>  (...
>>   (patches (list (search-patch "guix-specific-stuff.patch")
>>                  %CVE-1970-0001.patch)))
>>
>> That only requires the built-in guix downloader.
>
> Are you suggesting we should download the patch directly from upstream
> or security advisory if they provide it and fall back to copying if they
> don't?

Yes, indeed; sorry for the crude explanation.  Fetching instead of
copying serves two purposes: saves size in the guix repository, and
removes the need to verify patches manually as you only have to trust
their origin.

I sent an example here: <https://bugs.gnu.org/28330#11>.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]