From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp2.migadu.com ([2001:41d0:403:58f0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms13.migadu.com with LMTPS
	id oBd6I6SMSWdo9AAAe85BDQ:P1
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 29 Nov 2024 09:43:00 +0000
Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2.migadu.com with LMTPS
	id oBd6I6SMSWdo9AAAe85BDQ
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 29 Nov 2024 10:43:00 +0100
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=Pe+h9pm0;
	dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=Po0NIcft;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org";
	dmarc=pass (policy=none) header.from=gnu.org
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 240F095075
	for <larch@yhetil.org>; Fri, 29 Nov 2024 10:42:59 +0100 (CET)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1tGxWQ-0000sm-IC; Fri, 29 Nov 2024 04:42:47 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1tGxWF-0000ke-3p
 for guix-patches@gnu.org; Fri, 29 Nov 2024 04:42:37 -0500
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1tGxVr-0004aW-Jk; Fri, 29 Nov 2024 04:42:29 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=debbugs.gnu.org; s=debbugs-gnu-org; 
 h=MIME-Version:References:In-Reply-To:Date:From:To:Subject;
 bh=BLU0AjlNhxfzkeV9f0SFoNZYGxXI16nFBD9qccLJFTM=; 
 b=Pe+h9pm0RBNxU3W1Qu7gnIdZ7VTTYekl76qj5/dwZa1F1hRd9yjdW+o8HE116tCKJA3HH8ku5gEiqL2eaKL5pI8egXpWBYx6DD7SfuFGYFJn6/F4uFobxrFOzrO6w923H4CXflYAn3H3cVJ/CbYzSKKyaBSVtIhD3WvBAYnaV5e1Wxep/XaWN0lvDskrWCp5Qi9nZQsl7HY56TjGmzstRdLfEHMe6hNFdkrGUVP0H94Dr9lEHwZp2QXIwepOF9+JBXeSrKsGJ1MZnSMdXTRjqJK4LT95ouu4mhnvMoBLqcobzOHam6B1op0mWJ3Wu/iMdSCvqxwkepzMyp1W9z2/eA==;
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1tGxVq-0005yP-4L; Fri, 29 Nov 2024 04:42:10 -0500
X-Loop: help-debbugs@gnu.org
Subject: [bug#74542] [PATCH v2 16/16] etc: Add upgrade manifest.
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org,
 zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org
Resent-Date: Fri, 29 Nov 2024 09:42:10 +0000
Resent-Message-ID: <handler.74542.B74542.173287329022758@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 74542
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 74542@debbugs.gnu.org
Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>,
 Christopher Baines <guix@cbaines.net>, Josselin Poiret <dev@jpoiret.xyz>,
 Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>,
 Mathieu Othacehe <othacehe@gnu.org>, Simon Tournier <zimon.toutoune@gmail.com>,
 Tobias Geerinckx-Rice <me@tobias.gr>
X-Debbugs-Original-Xcc: Christopher Baines <guix@cbaines.net>,
 Josselin Poiret <dev@jpoiret.xyz>,
 Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>,
 Mathieu Othacehe <othacehe@gnu.org>, Simon Tournier <zimon.toutoune@gmail.com>,
 Tobias Geerinckx-Rice <me@tobias.gr>
Received: via spool by 74542-submit@debbugs.gnu.org id=B74542.173287329022758
 (code B ref 74542); Fri, 29 Nov 2024 09:42:10 +0000
Received: (at 74542) by debbugs.gnu.org; 29 Nov 2024 09:41:30 +0000
Received: from localhost ([127.0.0.1]:41083 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1tGxVB-0005uu-9Z
 for submit@debbugs.gnu.org; Fri, 29 Nov 2024 04:41:29 -0500
Received: from eggs.gnu.org ([209.51.188.92]:57502)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1tGxUs-0005ry-AV
 for 74542@debbugs.gnu.org; Fri, 29 Nov 2024 04:41:11 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>)
 id 1tGxUn-0003wG-4C; Fri, 29 Nov 2024 04:41:05 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To:
 From; bh=BLU0AjlNhxfzkeV9f0SFoNZYGxXI16nFBD9qccLJFTM=; b=Po0NIcftSm/U1dBzhdr6
 AkaRdNpGjBVEs93WA8qMXF6Ay+FMFtqxyKc/LTmpJ4pQYA4brKaQ0ZTguNbKq852ozguYNaBi49ZW
 fADz3GjgHvcdcOevUlY7egfEKMqnCDQn92BBYd+KQ/ALJHOXeXMQ6Z2F73cZZMLbFJlnvga8hNg9t
 9JdnBxuXLcJ3BBmZU5dW4BFQb4SdOboAqzw2EzMVtMTZQBeiRr3nqKZXbachbtiGCwz0aGUnvRls9
 EPsSmNinhAADJQyNORlBKJhiCutlbW+SU3uJnGNeSV9PAKL+PeAEVqaHdGBg9C16f96+Eu7vOW56i
 Z/18fUCNhc1NTw==;
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Date: Fri, 29 Nov 2024 10:40:19 +0100
Message-ID: <11eaf63e70243255682cb325b8781dcb28841b7c.1732872499.git.ludo@gnu.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <cover.1732615193.git.ludo@gnu.org>
References: <cover.1732615193.git.ludo@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: guix-patches-bounces+larch=yhetil.org@gnu.org
X-Migadu-Country: US
X-Migadu-Flow: FLOW_IN
X-Migadu-Scanner: mx11.migadu.com
X-Migadu-Spam-Score: 0.46
X-Spam-Score: 0.46
X-Migadu-Queue-Id: 240F095075
X-TUID: jHxJb4/yksLL

* guix/scripts/build.scm (dependents): Export.
* etc/upgrade-manifest.scm: New file.
* Makefile.am (EXTRA_DIST): Add it.

Change-Id: I1b2a2ebd09e559c68da9f25772bf33caacb4c031
---
 Makefile.am              |   1 +
 etc/upgrade-manifest.scm | 128 +++++++++++++++++++++++++++++++++++++++
 guix/scripts/build.scm   |   2 +
 3 files changed, 131 insertions(+)
 create mode 100644 etc/upgrade-manifest.scm

diff --git a/Makefile.am b/Makefile.am
index e94ba87797..0cff32c607 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -743,6 +743,7 @@ EXTRA_DIST +=						\
   etc/source-manifest.scm				\
   etc/system-tests.scm					\
   etc/time-travel-manifest.scm				\
+  etc/upgrade-manifest.scm				\
   scripts/guix.in					\
   tests/cve-sample.json					\
   tests/keys/civodul.pub				\
diff --git a/etc/upgrade-manifest.scm b/etc/upgrade-manifest.scm
new file mode 100644
index 0000000000..5e6d7d85e4
--- /dev/null
+++ b/etc/upgrade-manifest.scm
@@ -0,0 +1,128 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2024 Ludovic Courtès <ludo@gnu.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+;; This manifest computes upgrades of key packages using updaters from (guix
+;; upstream) and supporting code for the 'with-latest' transformation.
+
+(use-modules (guix memoization)
+             (guix monads)
+             (guix graph)
+             (guix packages)
+             (guix profiles)
+             (guix store)
+             (guix transformations)
+             (guix upstream)
+             ((guix scripts build) #:select (dependents))
+             ((guix scripts graph) #:select (%bag-node-type))
+             ((guix import github) #:select (%github-api))
+             (guix build-system gnu)
+             (guix build-system cmake)
+             ((gnu packages) #:select (all-packages))
+
+             (gnu packages backup)
+             (gnu packages curl)
+             (gnu packages freedesktop)
+             (gnu packages gnupg)
+             (gnu packages ssh)
+             (gnu packages tls)
+             (gnu packages version-control)
+             (gnu packages xorg)
+
+             (ice-9 match)
+             (srfi srfi-1))
+
+;; Bypass the GitHub updater: we'd need an API token or we would hit the rate
+;; limit.
+(%github-api "http://example.org")
+
+(define security-packages
+  (list xorg-server
+        elogind
+
+        openssl
+        gnutls
+        curl
+        curl-ssh
+
+        libarchive
+        libgit2
+        libssh
+
+        ;; GnuPG.
+        libassuan
+        libgpg-error
+        libgcrypt
+        libksba
+        npth
+        gnupg
+        gpgme
+        pinentry))
+
+(define latest-version
+  (mlambdaq (package)
+    (package-with-upstream-version package
+                                   ;; Preserve patches and snippets to get
+                                   ;; exactly the same as what we'd have with
+                                   ;; 'guix refresh -u PACKAGE'.
+                                   #:preserve-patches? #t
+
+                                   ;; XXX: Disable source code authentication:
+                                   ;; this requires a local keyring, populated
+                                   ;; from key servers, but key servers may be
+                                   ;; unreliable or may lack the upstream
+                                   ;; keys.  Leave it up to packagers to
+                                   ;; actually authenticate code and make sure
+                                   ;; it matches what this manifest computed.
+                                   #:authenticate? #f)))
+
+(define individual-security-upgrades
+  ;; Upgrades of individual packages with their direct dependents built
+  ;; against that upgrade.
+  (manifest
+   (with-store store
+     (append-map (lambda (package)
+                   (let* ((name (package-name package))
+                          (newest (latest-version package))
+                          (update (package-input-rewriting
+                                   `((,package . ,newest)))))
+                     (map (lambda (package)
+                            (manifest-entry
+                              (inherit (package->manifest-entry
+                                        (update package)))
+                              (name (string-append (package-name package)
+                                                   "-with-latest-" name))))
+                          (dependents store (list package) 1))))
+                 security-packages))))
+
+(define joint-security-upgrades
+  ;; All of SECURITY-PACKAGES updated at once, together with their dependents.
+  (manifest
+   (with-store store
+     (let ((update-all (package-input-rewriting
+                        (map (lambda (package)
+                               `(,package . ,(latest-version package)))
+                             security-packages))))
+       (map (lambda (package)
+              (manifest-entry
+                (inherit (package->manifest-entry
+                          (update-all package)))
+                (name (string-append (package-name package) "-full-upgrade"))))
+            (dependents store security-packages 2))))))
+
+(concatenate-manifests
+ (list individual-security-upgrades joint-security-upgrades))
diff --git a/guix/scripts/build.scm b/guix/scripts/build.scm
index d1368f7e48..0080f1fe58 100644
--- a/guix/scripts/build.scm
+++ b/guix/scripts/build.scm
@@ -63,6 +63,8 @@ (define-module (guix scripts build)
             show-cross-build-options-help
             show-native-build-options-help
 
+            dependents
+
             guix-build
             register-root
             register-root*))
-- 
2.46.0