From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id AfSyOT0WWmBuYQAA0tVLHw (envelope-from ) for ; Tue, 23 Mar 2021 16:24:29 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id sBbrND0WWmClIQAAbx9fmQ (envelope-from ) for ; Tue, 23 Mar 2021 16:24:29 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9A97627D31 for ; Tue, 23 Mar 2021 17:24:29 +0100 (CET) Received: from localhost ([::1]:36696 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lOjpU-0000Qs-OF for larch@yhetil.org; Tue, 23 Mar 2021 12:24:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37984) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOjH2-0008IX-O5; Tue, 23 Mar 2021 11:48:52 -0400 Received: from server0.selfhosted.xyz ([217.64.149.7]:34648) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOjGz-0001Wj-5M; Tue, 23 Mar 2021 11:48:52 -0400 Received: from server0.selfhosted.xyz (localhost [127.0.0.1]) by server0.selfhosted.xyz (Postfix) with ESMTP id B79A11C98B3D; Tue, 23 Mar 2021 16:48:30 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=selfhosted.xyz; s=dkim; t=1616514516; bh=GuYzschcgplUQ1BDW/jOMenakd1yKflRxHE39o5yICA=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=a4A7OKx+Buy5H/IS+C8MpyZpnCo+02xGNpwIfdu98j+9hYeFLHLQ5puGfScjWirCT WQHeAg1bSzRLs1jEZBhplyqEqL3zt5L4lDhvbfO215rgMoaKEU15xT0rcPpyZ8EvNO NILSdUCAVQsh5I9If1vDSVNiyzDfn87DmXLUAVyl1hU3vgu8aeWEoEdrEmW4L95d5b udiXYyrNbg3nwXHOHdYrP65Gg7rqN4OnBg5DvEvvCuq69RYFlqaqop01w/yyFXL/Gg UvBf9fNto0Z3u3NjIbM0MYRKHKq1ezvaIk7riKJKmwRlr6gHz6zTD/9fN0A5YFETuc JAcrrjp0JdKFg== X-Fuglu-Suspect: 7f65a342dce043ecb0fe685e2ba0a073 X-Fuglu-Spamstatus: NO Received: from webmail.selfhosted.xyz (office.selfhosted.xyz [192.168.1.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: mail@selfhosted.xyz) by server0.selfhosted.xyz (Postfix) with ESMTPSA; Tue, 23 Mar 2021 16:48:30 +0100 (CET) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Tue, 23 Mar 2021 16:48:30 +0100 From: david larsson To: =?UTF-8?Q?L=C3=A9o_Le_Bouter?= Subject: Re: A proposal for better quality in maintenance of packages by reducing scope In-Reply-To: <1b2c22892d9cde9b86ff96cc70cb89ad17fba807.camel@zaclys.net> References: <1b2c22892d9cde9b86ff96cc70cb89ad17fba807.camel@zaclys.net> Message-ID: <2f046df9553669d991ce9057527bdada@selfhosted.xyz> X-Sender: david.larsson@selfhosted.xyz Received-SPF: pass client-ip=217.64.149.7; envelope-from=david.larsson@selfhosted.xyz; helo=server0.selfhosted.xyz X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_SUSPICIOUS_NTLD=0.499, PDS_OTHER_BAD_TLD=1.999, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org, Guix-devel Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616516669; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=GuYzschcgplUQ1BDW/jOMenakd1yKflRxHE39o5yICA=; b=Ofrj6HXPi0YbLsZwoxrZOsWsyoZTawGGD9ymvHKrUmVSn8CCk6eVCnnNHAKHSLn4AJAxqZ HQ9CT8KohidiogzY0bBC/yQUSsklFmWL9xyN5RbosZoEZzMSxOf5/QYwFMMbsD67mvKDFO 2UzMBfWKzG3XT08bFeXUh5bXKsHyYMsVD01jeRHCcovwo9T7EG6tQ0Z7KCf+OySBLb6DDj 0AcmgW6EK1RpfpVerAhiMBZiJ6KS4D94fHH6IR9UxBtnJDxgOE7qTFI4M1YqfQlI/GLSR2 6L8fYF5wk1sATylgWHFZ20FseQsv65XUt9p43ykQA7U35gcuUr5dOBqShLDNYQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616516669; a=rsa-sha256; cv=none; b=SBVWCjendPnTtX9i6D+vJSLEYYGJ2Ih7PO7eapoRhgZw4lgOHpoV1F4x3t3SV5yOHMsqr9 XaxWePrL6ghdikX/5CuVw+M+OhVuQir0vJHgszreGQVQsMHAiVFAuD3SNYb5XKrBWESOLV XgIOz2j1NXebZgxt1O7aEeUxwKW3G6lQ5GHbCYVVPQdw9ILJ7PJeqBiuHwSl8eEZERO32d kvDzv7siZlMos8Ug2C9TTaaP8l9E1sxvsazDEAk9Y/SmKhrXDqO5BBTga+9okZ+ix5px3Y mYm+SLWY2prGIuwXVu8gDeh3uMVTJqL7MhYfOByPQ8yEiGakeaD2m4THzDPidA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=selfhosted.xyz header.s=dkim header.b=a4A7OKx+; dmarc=pass (policy=none) header.from=selfhosted.xyz; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.12 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=selfhosted.xyz header.s=dkim header.b=a4A7OKx+; dmarc=pass (policy=none) header.from=selfhosted.xyz; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 9A97627D31 X-Spam-Score: -3.12 X-Migadu-Scanner: scn0.migadu.com X-TUID: Wvx08ORu6N1V On 2021-03-23 16:00, Léo Le Bouter wrote: > Hello! > > There's lots of packages in GNU Guix and maintaining all of them is > tedious, even if we have tooling, there's only so much we can do. > > I want to have a secure and reliable system, I would also like to only > depend on packages I know are easy to maintain for GNU Guix > contributors. > > I would like to propose that we reduce the scope of the maintenance we > do in GNU Guix and establish a list of packages that we more or less > commit to maintaining because this is something that we can do and is > attainable, for example, we could remove desktop environments that we > can't maintain to good standards realistically and focus our efforts on > upstreams that don't go against our way of doing things, that are > cooperative, that provide good build systems we can rely on for our > purposes, etc. > > I propose we also add some requirements before packages can go into > such a maintained state, like a working and reliable updater/refresher > with notifications directed to some mailing list when that one finds a > new release, a reduced amount of downstream patches and a cooperative > upstream with who we preferably have some point of contact to solve > issues or gather more insider knowledge about the software if we need, > a working and reliable CVE linter with proper cpe-name/vendor and > notifications going to a mailing list we all subscribe to, etc.. > probably lots of other things are relevant but you see the idea. > > It should also be possible to filter out packages that are not declared > to be in this maintained state, for example, in the GNU Guix System > configuration. > > Some kind of quality rating for packages that users can trust. > > What do you think? > > Léo Hi, Related to your idea on having a relaible updater/refresher; I solved some maintenance for myself a while ago by writing a script(1) that I used with cuirass which automatically updates packages (both commit and hash) to the latest commit for a specified branch, and the same script also updates a manifest that is used by a cuirass instance to build packages. This way I could install - which would be continuously updated and built by cuirass, or - when I wanted to stay at a certain upstream commit. This is perhaps not the most secure solution, especially not for distributing as default, but maybe something similar can be used to help maintain the latest version of a subset of packages? (1) https://gitlab.com/methuselah-0/guix-cigmon/-/tree/master Best regards, David