* Re: Fetching patches as origins instead of copying them into the Guix Git repo
2017-08-31 21:52 ` Marius Bakke
@ 2017-09-01 9:58 ` ng0
2017-09-01 10:03 ` ng0
2017-09-01 19:50 ` Leo Famulari
` (2 subsequent siblings)
3 siblings, 1 reply; 8+ messages in thread
From: ng0 @ 2017-09-01 9:58 UTC (permalink / raw)
To: Marius Bakke; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1447 bytes --]
Marius Bakke transcribed 1.4K bytes:
> Leo Famulari <leo@famulari.name> writes:
>
> > On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote:
> >> Side note: I think we should start adding patches as origins instead of
> >> copying them wholesale, to try and keep the git repository slim.
> >
> > We should make a git-minimal package for things like this, or use
> > guile-git / libgit2. Git itself is a very "heavy" package.
>
> No, I mean adding patches like this:
>
> (define %CVE-1970-0001.patch
> (origin
> (method url-fetch)
> (uri "https://example.com/CVE-2017-0001.patch")
> (sha256
> (base32
> "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k"))))
>
> (package
> (...
> (patches (list (search-patch "guix-specific-stuff.patch")
> %CVE-1970-0001.patch)))
>
> That only requires the built-in guix downloader.
I think we should reduce connections we have to make
and assume that patches could disappear.
I keep patches and sources around in offline and
online ways because of this. If a source should
disappear I could fall back to my storage.
For cases like our icecat the patches are already
fetched because they come directly from the upstream
repository as far as I remember. That's okay.
--
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://n0is.noblogs.org/my-keys
https://www.infotropique.org https://krosos.org
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Fetching patches as origins instead of copying them into the Guix Git repo
2017-09-01 9:58 ` ng0
@ 2017-09-01 10:03 ` ng0
0 siblings, 0 replies; 8+ messages in thread
From: ng0 @ 2017-09-01 10:03 UTC (permalink / raw)
To: Marius Bakke, Leo Famulari, guix-devel
[-- Attachment #1: Type: text/plain, Size: 1931 bytes --]
ng0 transcribed 2.4K bytes:
> Marius Bakke transcribed 1.4K bytes:
> > Leo Famulari <leo@famulari.name> writes:
> >
> > > On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote:
> > >> Side note: I think we should start adding patches as origins instead of
> > >> copying them wholesale, to try and keep the git repository slim.
> > >
> > > We should make a git-minimal package for things like this, or use
> > > guile-git / libgit2. Git itself is a very "heavy" package.
> >
> > No, I mean adding patches like this:
> >
> > (define %CVE-1970-0001.patch
> > (origin
> > (method url-fetch)
> > (uri "https://example.com/CVE-2017-0001.patch")
> > (sha256
> > (base32
> > "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k"))))
> >
> > (package
> > (...
> > (patches (list (search-patch "guix-specific-stuff.patch")
> > %CVE-1970-0001.patch)))
> >
> > That only requires the built-in guix downloader.
>
> I think we should reduce connections we have to make
> and assume that patches could disappear.
> I keep patches and sources around in offline and
> online ways because of this. If a source should
> disappear I could fall back to my storage.
>
> For cases like our icecat the patches are already
> fetched because they come directly from the upstream
> repository as far as I remember. That's okay.
Actually in cases of cgit, github, gitlab, and maybe
some other git focused web instances we can do what
icecat does or just use URLs like:
https://git.gnome.org/browse/libxml2/snapshot/libxml2-92b9e8c8b3787068565a1820ba575d042f9eec66.tar.xz
I think it's okay to fetch CVE patches like this
because they come directly from upstream commits
and we know the hash of the file.
--
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://n0is.noblogs.org/my-keys
https://www.infotropique.org https://krosos.org
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Fetching patches as origins instead of copying them into the Guix Git repo
2017-08-31 21:52 ` Marius Bakke
2017-09-01 9:58 ` ng0
@ 2017-09-01 19:50 ` Leo Famulari
2017-09-02 17:09 ` Alex Vong
2017-09-02 20:55 ` Ludovic Courtès
3 siblings, 0 replies; 8+ messages in thread
From: Leo Famulari @ 2017-09-01 19:50 UTC (permalink / raw)
To: Marius Bakke; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 980 bytes --]
On Thu, Aug 31, 2017 at 11:52:25PM +0200, Marius Bakke wrote:
> Leo Famulari <leo@famulari.name> writes:
>
> > On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote:
> >> Side note: I think we should start adding patches as origins instead of
> >> copying them wholesale, to try and keep the git repository slim.
> >
> > We should make a git-minimal package for things like this, or use
> > guile-git / libgit2. Git itself is a very "heavy" package.
>
> No, I mean adding patches like this:
>
> (define %CVE-1970-0001.patch
> (origin
> (method url-fetch)
> (uri "https://example.com/CVE-2017-0001.patch")
> (sha256
> (base32
> "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k"))))
>
> (package
> (...
> (patches (list (search-patch "guix-specific-stuff.patch")
> %CVE-1970-0001.patch)))
>
> That only requires the built-in guix downloader.
Ah, that's much better than what I was thinking.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Fetching patches as origins instead of copying them into the Guix Git repo
2017-08-31 21:52 ` Marius Bakke
2017-09-01 9:58 ` ng0
2017-09-01 19:50 ` Leo Famulari
@ 2017-09-02 17:09 ` Alex Vong
2017-09-04 18:47 ` Marius Bakke
2017-09-02 20:55 ` Ludovic Courtès
3 siblings, 1 reply; 8+ messages in thread
From: Alex Vong @ 2017-09-02 17:09 UTC (permalink / raw)
To: Marius Bakke; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1025 bytes --]
Marius Bakke <mbakke@fastmail.com> writes:
> Leo Famulari <leo@famulari.name> writes:
>
>> On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote:
>>> Side note: I think we should start adding patches as origins instead of
>>> copying them wholesale, to try and keep the git repository slim.
>>
>> We should make a git-minimal package for things like this, or use
>> guile-git / libgit2. Git itself is a very "heavy" package.
>
> No, I mean adding patches like this:
>
> (define %CVE-1970-0001.patch
> (origin
> (method url-fetch)
> (uri "https://example.com/CVE-2017-0001.patch")
> (sha256
> (base32
> "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k"))))
>
> (package
> (...
> (patches (list (search-patch "guix-specific-stuff.patch")
> %CVE-1970-0001.patch)))
>
> That only requires the built-in guix downloader.
Are you suggesting we should download the patch directly from upstream
or security advisory if they provide it and fall back to copying if they
don't?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Fetching patches as origins instead of copying them into the Guix Git repo
2017-09-02 17:09 ` Alex Vong
@ 2017-09-04 18:47 ` Marius Bakke
0 siblings, 0 replies; 8+ messages in thread
From: Marius Bakke @ 2017-09-04 18:47 UTC (permalink / raw)
To: Alex Vong; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1382 bytes --]
Alex Vong <alexvong1995@gmail.com> writes:
> Marius Bakke <mbakke@fastmail.com> writes:
>
>> Leo Famulari <leo@famulari.name> writes:
>>
>>> On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote:
>>>> Side note: I think we should start adding patches as origins instead of
>>>> copying them wholesale, to try and keep the git repository slim.
>>>
>>> We should make a git-minimal package for things like this, or use
>>> guile-git / libgit2. Git itself is a very "heavy" package.
>>
>> No, I mean adding patches like this:
>>
>> (define %CVE-1970-0001.patch
>> (origin
>> (method url-fetch)
>> (uri "https://example.com/CVE-2017-0001.patch")
>> (sha256
>> (base32
>> "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k"))))
>>
>> (package
>> (...
>> (patches (list (search-patch "guix-specific-stuff.patch")
>> %CVE-1970-0001.patch)))
>>
>> That only requires the built-in guix downloader.
>
> Are you suggesting we should download the patch directly from upstream
> or security advisory if they provide it and fall back to copying if they
> don't?
Yes, indeed; sorry for the crude explanation. Fetching instead of
copying serves two purposes: saves size in the guix repository, and
removes the need to verify patches manually as you only have to trust
their origin.
I sent an example here: <https://bugs.gnu.org/28330#11>.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Fetching patches as origins instead of copying them into the Guix Git repo
2017-08-31 21:52 ` Marius Bakke
` (2 preceding siblings ...)
2017-09-02 17:09 ` Alex Vong
@ 2017-09-02 20:55 ` Ludovic Courtès
3 siblings, 0 replies; 8+ messages in thread
From: Ludovic Courtès @ 2017-09-02 20:55 UTC (permalink / raw)
To: Marius Bakke; +Cc: guix-devel
Hello,
Marius Bakke <mbakke@fastmail.com> skribis:
> Leo Famulari <leo@famulari.name> writes:
>
>> On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote:
>>> Side note: I think we should start adding patches as origins instead of
>>> copying them wholesale, to try and keep the git repository slim.
[...]
> No, I mean adding patches like this:
>
> (define %CVE-1970-0001.patch
> (origin
> (method url-fetch)
> (uri "https://example.com/CVE-2017-0001.patch")
> (sha256
> (base32
> "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k"))))
>
> (package
> (...
> (patches (list (search-patch "guix-specific-stuff.patch")
> %CVE-1970-0001.patch)))
>
> That only requires the built-in guix downloader.
I agree, I did that a few times for this reason.
Once I did that for Coreutils, fetching the patch via a Cgit URL at
Savannah, and somehow that URL went broken at some later point, which
was annoying. But in general, it shouldn’t be worse than source URLs
that go 404.
Ludo’.
^ permalink raw reply [flat|nested] 8+ messages in thread