unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: ludo@gnu.org (Ludovic Courtès)
To: Alex Kost <alezost@gmail.com>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH 2/4] emacs: Add 'guix-devel-download-package-source'.
Date: Mon, 05 Oct 2015 17:55:59 +0200	[thread overview]
Message-ID: <87wpv1tils.fsf@gnu.org> (raw)
In-Reply-To: <87eghalc7s.fsf@gmail.com> (Alex Kost's message of "Sun, 04 Oct 2015 21:28:55 +0300")

Alex Kost <alezost@gmail.com> skribis:

> Ludovic Courtès (2015-10-04 19:57 +0300) wrote:
>
>> Alex Kost <alezost@gmail.com> skribis:
>>
>>> Ludovic Courtès (2015-10-03 23:35 +0300) wrote:
>>>
>>>> Alex Kost <alezost@gmail.com> skribis:
>>>>
>>>>> * emacs/guix-devel.el (guix-devel-setup-repl): Use (guix packages) module.
>>>>>   (guix-devel-download-package-source): New command.
>>>>>   (guix-devel-keys-map): Add key binding for it.
>>>>> * doc/emacs.texi (Emacs Development): Document it.
>>>>
>>>> [...]
>>>>
>>>>> +(defun guix-devel-download-package-source ()
>>>>> +  "Download the source of the current package.
>>>>> +Use this function to compute SHA256 hash of the package source."
>>>>> +  (interactive)
>>>>> +  (guix-devel-with-definition def
>>>>> +    (guix-devel-use-modules "(guix scripts download)")
>>>>> +    (when (or (not guix-operation-confirm)
>>>>> +              (y-or-n-p (format "Download '%s' package source?" def)))
>>>>> +      (guix-geiser-eval-in-repl
>>>>> +       (format "(guix-download (origin-uri (package-source %s)))"
>>>>> +               def)))))
>>>>
>>>> What about instead building the ‘package-source-derivation’ of the
>>>> package?  That way, that would do the exact same thing as ‘guix build
>>>> -S’ and would work not only with ‘url-fetch’ but also with the other
>>>> things.
>>>>
>>>> WDYT?
>>>
>>> The goal of this command is to display a hash.
>>
>> So this would be something one would use as they write a package
>> definition, to fill in the ‘sha256’ field, right?
>
> Exactly.  For example, here is how I update a package using Geiser:
>
> - I modify its 'version' field,
> - "C-M-x" to reevaluate the package definition,
> - "C-c . s" to download the new source and show its hash,
> - replace the old hash with the new one,
> - and finally "C-c . b" to build the new version of package.

OK, nice.

>> In that case, I would suggest something based on the URL at point rather
>> than the origin at point.
>
> It's neither URL at point, nor origin at point: it's like "C-c . b" but
> to download the source of the current package definition instead of
> building it.
>
> Also I don't understand how it can be based on the URL at point as
> instead of the full URL, we have something like this:
>
>   (uri (string-append "http://.../foo-" version ".tar.xz"))
>
> So currently to use "guix download", at first you need to manually
> construct the full URL.  I find this inconvenient, that's why I want to
> have a command to download a source of the current package and to
> display its hash.

Yes, that make sense.

The problem I had in mind was that, when writing a new package
definition from scratch, you don’t know the SHA256 yet, but ‘sha256’ is
a required field of ‘origin’.  So one would have to write a fake
‘sha256’ value just for the sake of being able to use that feature,
which seems odd to me.

See what I mean?  How would you handle such a case?

>> However, if this is “too convenient”, I’m afraid this would give an
>> incentive to not check OpenPGP signatures when they are available.
>
> Sorry, I have no idea what it means :-(

When upstream digitally signs its source code tarballs, packagers should
check those signatures to authenticate the code they have.

If the tool makes it too easy to fill out the ‘sha256’ field without
going through the trouble of downloading the ‘.sig’ file and checking
it, then people will have an incentive not to check those signatures.

>>> At first I also thought about building a package source and then to
>>> calculate the hash of the store file, but this way will lead to the
>>> wrong hashes for "snippet"-ed origins.  Or do I miss anything?
>>
>> Well, I think bindings for ‘package-source-derivation’ would also be
>> useful, but IIUC this is not what you had in mind.
>
> If you mean to make a command to build the current package source, it
> can be done, although I don't see how it can be useful.

It’s occasionally useful, similar to ‘guix build -S’ or the “Show”
button in package info buffers, except that it would operate directly on
the package at point.

WDYT?

Thanks,
Ludo’.

  reply	other threads:[~2015-10-05 15:56 UTC|newest]

Thread overview: 50+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-02 13:04 emacs: devel: Add lint/download commands Alex Kost
2015-10-02 13:04 ` [PATCH 1/4] emacs: Add 'guix-devel-with-definition' Alex Kost
2015-10-03 20:31   ` Ludovic Courtès
2015-10-02 13:04 ` [PATCH 2/4] emacs: Add 'guix-devel-download-package-source' Alex Kost
2015-10-03 20:35   ` Ludovic Courtès
2015-10-04 13:39     ` Alex Kost
2015-10-04 16:57       ` Ludovic Courtès
2015-10-04 18:28         ` Alex Kost
2015-10-05 15:55           ` Ludovic Courtès [this message]
2015-10-06 15:11             ` Alex Kost
2015-10-07  2:07               ` Checking signatures on source tarballs Mark H Weaver
2015-10-07  3:18                 ` Christopher Allan Webber
2015-10-07  8:29                 ` Andreas Enge
2015-10-07 12:06                 ` Ludovic Courtès
2015-10-07 14:09                   ` Mark H Weaver
2015-10-07 18:05                     ` Leo Famulari
2015-10-07 20:59                     ` Ludovic Courtès
2015-10-08 11:44                       ` Ludovic Courtès
2015-10-12  8:37                         ` Brandon Invergo
2015-10-12  9:18                           ` [bug-gsrc] " Brandon Invergo
2015-10-12 16:38                             ` Ludovic Courtès
2015-10-12 21:26                               ` Brandon Invergo
2015-10-12 21:34                                 ` Ludovic Courtès
2015-10-12 22:06                                   ` Brandon Invergo
2015-10-13  9:47                                     ` Ludovic Courtès
2015-10-12 16:39                           ` Ludovic Courtès
2016-02-22  4:20                             ` Christopher Allan Webber
2015-10-10  7:22                       ` Alex Vong
2015-10-10 17:03                       ` Mark H Weaver
2015-10-11 17:44                         ` Ludovic Courtès
2015-10-14  5:33                       ` Rastus Vernon
2015-10-15 13:33                         ` Mark H Weaver
2015-10-07 17:45                 ` Alex Kost
2015-10-07 12:23               ` [PATCH 2/4] emacs: Add 'guix-devel-download-package-source' Ludovic Courtès
2015-10-07 17:25                 ` Alex Kost
2015-10-07 19:15                   ` Ian Denhardt
2015-10-09 12:14                     ` Alex Kost
2015-10-07 22:10                   ` Ludovic Courtès
2015-10-08 11:27                     ` Alex Kost
2015-10-08 11:46                       ` Ludovic Courtès
2015-10-09 12:08                         ` Alex Kost
2015-10-09 12:17                           ` Ludovic Courtès
2015-10-09 14:00                         ` [PATCH] emacs: Add 'guix-devel-build-package-source' Alex Kost
2015-10-11 18:33                           ` Ludovic Courtès
2015-10-08 14:43                       ` [PATCH 2/4] emacs: Add 'guix-devel-download-package-source' Christopher Allan Webber
2015-10-08 15:03                         ` Ludovic Courtès
2015-10-02 13:04 ` [PATCH 3/4] lint: Export 'run-checkers' Alex Kost
2015-10-03 20:36   ` Ludovic Courtès
2015-10-02 13:04 ` [PATCH 4/4] emacs: Add 'guix-devel-lint-package' Alex Kost
2015-10-03 20:44   ` Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87wpv1tils.fsf@gnu.org \
    --to=ludo@gnu.org \
    --cc=alezost@gmail.com \
    --cc=guix-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).