From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id cKcpCtkZamBbeQAAgWs5BA (envelope-from ) for ; Sun, 04 Apr 2021 21:56:09 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id iO4CBNkZamDsFQAAbx9fmQ (envelope-from ) for ; Sun, 04 Apr 2021 19:56:09 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id ACFD2273E9 for ; Sun, 4 Apr 2021 21:56:08 +0200 (CEST) Received: from localhost ([::1]:36390 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lT8qt-0002Tb-Ky for larch@yhetil.org; Sun, 04 Apr 2021 15:56:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33916) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lT8qj-0002TH-HB for guix-devel@gnu.org; Sun, 04 Apr 2021 15:55:57 -0400 Received: from world.peace.net ([64.112.178.59]:51896) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lT8qh-00049K-6X; Sun, 04 Apr 2021 15:55:57 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lT8qd-00060P-MV; Sun, 04 Apr 2021 15:55:51 -0400 From: Mark H Weaver To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: Needed: tooling to detect references to buggy */stable packages In-Reply-To: <87ft0dgc28.fsf@gnu.org> References: <878s68zqsd.fsf@netris.org> <927d66ccc760afacdb88485c5158731458d52dd6.camel@telenet.be> <87k0psdu25.fsf@netris.org> <9fb6ac4f0893446e3619d62395e035a446a9606f.camel@telenet.be> <875z1bdkmq.fsf@netris.org> <87zgymdi2n.fsf@netris.org> <87ft0dgc28.fsf@gnu.org> Date: Sun, 04 Apr 2021 15:54:10 -0400 Message-ID: <8735w5966a.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org; helo=world.peace.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617566168; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=Bjf9GIgIw1leHiYRvJYkuRqIxcwRFyz3F00PaIWNOGA=; b=NFX5YGqUK45rERkw3YPH5ftqmiRg+cMbaeV5RedNFFa8+i0A/Izquyp+XJkKfekI48CHb+ 60TsMzYg9K1wozAHRQwTPVnGc2gpmpyM4vAtyoMqR9HrfHxWmzTT+TriHkNRqrr0vvqv+q BQoymkMnnIzelTnLR1waxDWLPFL1W62O+4CxsaAjb06r92vjgu2zfHaD1FFakJs2jdXN6y STq0s5PSlLGEJf8tBxFvjTwYFPImfEAPmsNKX3SidTi826vbt14BWy3IaZRSBIMVDf4JQa iOggsCDxpHmZuVcA2bEHjPbjUeFDmqLiqVy6DJ2rWFzNfdWJ7i98sMIdp2I2Sg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617566168; a=rsa-sha256; cv=none; b=CbSHLnmCoZEMnlDPiAAD4uALtZ0u2u3veLkzuj8B2sdIxyFcM31i+rhLUfOTPjuUkqjOhP Eb3ie4+1hu2supiwabsQm73/P8jj8czf20qE2qH1AtU1Ke+nYZ+J6QLnrP57tKWjTQEsN9 lcsZMXAn+kgYdXcWWtEZ0hTVAMdJf8RC/RSwlkKSgfnLskefOgi6c+gxnK57nSfEThm9HE neKrEov+W/FAgQ5MO6FTPqDCov7fGZGK4go8Tu/ovcFlcZaaQ0fiJB/Ty40l74FgHXHLnb AWZWDPx+7Fc+Ogq68imoJU06qWTYXKQn6dsdknHP3BpIrJerNHDOzYolOY5ZYA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.44 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: ACFD2273E9 X-Spam-Score: -2.44 X-Migadu-Scanner: scn0.migadu.com X-TUID: t1EQQV9PTnPR Hi Ludovic, Ludovic Court=C3=A8s writes: > Mark H Weaver skribis: > >> It occurs to me that we will need some tooling to ensure that no >> references to these buggy "*/stable" packages end up in package outputs >> that users actually use. Otherwise, it is likely that sooner or later, >> a runtime reference to one of these buggy packages will sneak in to our >> systems. > > Couldn=E2=80=99t we use #:disallowed-references for this? Yes, but it would be suboptimal because we would have to remember to explicitly add #:disallowed-references to every package that uses these */stable packages but is not itself a */stable package. The number of packages that would need to be annotated with #:disallowed-references is a couple of orders of magnitude larger than the number of */stable packages that would need to be annotated with a 'build-time-only' flag. Part of the motivation behind this proposed tooling is to avoid simple mistakes leading to buggy code on our systems. For example, given the large number of packages that could use 'gtk-doc/stable', I think it's quite likely that people will start adding 'gtk-doc/stable' to other packages (mimicking what they see from existing packages), and might forget to add the associated #:disallowed-references annotations. Ideally, the 'build-time-only' flags would be used to automatically generate a set of _implicit_ #:disallowed-references for each package, to be added to the explicitly given ones. More concretely: the implicit #:disallowed-references for packages marked 'build-time-only' would be empty. For other packages, it would include all outputs of all 'native-inputs' and 'inputs' (and ideally including implicit inputs) that are marked as 'build-time-only'. What do you think? Thanks, Mark