Alex Vong writes: > Marius Bakke writes: > >> Leo Famulari writes: >> >>> On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote: >>>> Side note: I think we should start adding patches as origins instead of >>>> copying them wholesale, to try and keep the git repository slim. >>> >>> We should make a git-minimal package for things like this, or use >>> guile-git / libgit2. Git itself is a very "heavy" package. >> >> No, I mean adding patches like this: >> >> (define %CVE-1970-0001.patch >> (origin >> (method url-fetch) >> (uri "https://example.com/CVE-2017-0001.patch") >> (sha256 >> (base32 >> "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k")))) >> >> (package >> (... >> (patches (list (search-patch "guix-specific-stuff.patch") >> %CVE-1970-0001.patch))) >> >> That only requires the built-in guix downloader. > > Are you suggesting we should download the patch directly from upstream > or security advisory if they provide it and fall back to copying if they > don't? Yes, indeed; sorry for the crude explanation. Fetching instead of copying serves two purposes: saves size in the guix repository, and removes the need to verify patches manually as you only have to trust their origin. I sent an example here: .