From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp11.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms5.migadu.com with LMTPS
	id QB+sDfjwpWKbvQAAbAwnHQ
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 12 Jun 2022 15:58:16 +0200
Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp11.migadu.com with LMTPS
	id YK+hDfjwpWJuzwAA9RJhRA
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 12 Jun 2022 15:58:16 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id B31E9212E1
	for <larch@yhetil.org>; Sun, 12 Jun 2022 15:58:15 +0200 (CEST)
Received: from localhost ([::1]:52204 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	id 1o0O6Y-0004nv-Jf
	for larch@yhetil.org; Sun, 12 Jun 2022 09:58:14 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:47218)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1o0O6M-0004kb-1t
 for guix-patches@gnu.org; Sun, 12 Jun 2022 09:58:02 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:34194)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1o0O6L-0006y9-Pn
 for guix-patches@gnu.org; Sun, 12 Jun 2022 09:58:01 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1o0O6L-0001BN-MF
 for guix-patches@gnu.org; Sun, 12 Jun 2022 09:58:01 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#55903] [PATCH 25/41] gnu: Add
 go-github-com-protonmail-go-crypto-openpgp.
Resent-From: Maxime Devos <maximedevos@telenet.be>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Sun, 12 Jun 2022 13:58:01 +0000
Resent-Message-ID: <handler.55903.B55903.16550422724526@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 55903
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: "(" <paren@disroot.org>, 55903@debbugs.gnu.org
Received: via spool by 55903-submit@debbugs.gnu.org id=B55903.16550422724526
 (code B ref 55903); Sun, 12 Jun 2022 13:58:01 +0000
Received: (at 55903) by debbugs.gnu.org; 12 Jun 2022 13:57:52 +0000
Received: from localhost ([127.0.0.1]:56324 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1o0O6B-0001Av-U0
 for submit@debbugs.gnu.org; Sun, 12 Jun 2022 09:57:52 -0400
Received: from albert.telenet-ops.be ([195.130.137.90]:45478)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@telenet.be>) id 1o0O66-0001Ah-Py
 for 55903@debbugs.gnu.org; Sun, 12 Jun 2022 09:57:50 -0400
Received: from [172.20.10.9] ([188.189.9.200])
 by albert.telenet-ops.be with bizsmtp
 id iDxk2700H4JxQtG06DxkUh; Sun, 12 Jun 2022 15:57:45 +0200
Message-ID: <4d3af1c869ccdeded6e7b9990941218e6364df78.camel@telenet.be>
From: Maxime Devos <maximedevos@telenet.be>
Date: Sun, 12 Jun 2022 15:57:38 +0200
In-Reply-To: <CKO6KYN6A9L5.12S4T2DUPQQ88@guix-aspire>
References: <20220611191653.15471-1-paren@disroot.org>
 <20220611191653.15471-25-paren@disroot.org>
 <8bda65b813803639b127a174bbd0a74b3d383858.camel@telenet.be>
 <CKO3G991F1VH.LTTWS589JAVT@guix-aspire>
 <a8f8034efd3705f184bd9112589d8acbca13fef2.camel@telenet.be>
 <CKO6KYN6A9L5.12S4T2DUPQQ88@guix-aspire>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-1Uu4wKWSQTaYI/eTTWOJ"
User-Agent: Evolution 3.38.3-1 
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22;
 t=1655042265; bh=tNicjXWnxwnD2G0Sa7IKHMUuCSrTwLhyLmE3EX3xnZA=;
 h=Subject:From:To:Date:In-Reply-To:References;
 b=EWkwoL77eDqQXzReJWeje/Pgiczf88mFzSXGfJ6gE/2NqAnob4WfchIFX74eyX2PV
 OtRSBQaFnMax9x0sSUhNUS8f5/qucnp4a8S77Q1j9jFh9Zcsw/l3RqsPFechm3stRF
 8qBRFkfyZI+MdkX1xw1zPX4ftXFU3EqA1si8OndSLLa51tTW3lWMdjPPvVo5SNg/qQ
 2SkZhyVVWHmRxRNOA9BEwguMsiGId1bT8mBKziLCKamVlp8bEdPYiaCSAurIUIwwH/
 RIJLvbymG0Dw6bmBW+NYrjHNp/tqdgFIt6cOUF86kDEWNvQz6a1GIK5JSMNjghVkT6
 C1UNTJnKZXd4w==
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-To: larch@yhetil.org
X-Migadu-Country: US
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1655042295;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:in-reply-to:in-reply-to:references:references:
	 list-id:list-help:list-unsubscribe:list-subscribe:list-post:
	 dkim-signature; bh=tNicjXWnxwnD2G0Sa7IKHMUuCSrTwLhyLmE3EX3xnZA=;
	b=LCcagzMzDaM5590Iip5+GB+zTVyW6qE7XWjNp46fBHj6CmA5ifX1hEIZZ+l3cae8Q2uWNA
	a3uK+gciz2KXPaWO20J8r3/LxZzS4IPVVCrPEHaJQuxMdaP4agkxtUEalDADBSqX172KsL
	IcGLrrI89dsKj+TyyyDwteiHqXrwCt622ZkezSyUfSNb5vDms0WTYV5MgqPfkMZL3mF8kO
	wua34QMcCf88PN6J9WlzyN5LkRKulonLeJvT64zjlutmLIL6bX9H032CqOIQcA+ZZBAi0m
	SGhHANt0ZYfSlp6Kzt0cdKXSqVgMTAv1b6oQzBQfJB9tAoZNiuvND/4VTjrS9Q==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1655042295; a=rsa-sha256; cv=none;
	b=CQjtc0V2MTKBYvy9yw8SkTMlcbfywWoD5mSFVAvwjUnwHGjWOZpFyfG4j3mEWIEEKnoMpy
	obKfE1e6MAjL6KphDcZuLkakHNVZS3VAUIH2OQfULDwVXYtVB//7Jm3u4p0JeA8ZIgP9C9
	lltOxoJgXwyAMn+XtOJu3W4Hs/E4Pbn8jU/L8nN2wLnk0JZ3kXcL7F0iaIJRZUna4zuYTp
	VgyU1vpDjOhyMf0m77+NmWVTvb/M4fPkG2rS/FnkJK5KX8jDCHXT3uY03dbNLdtO4O1XSJ
	hzCVbiA+Q5GBmtjdrgVP+UjjWzd6EZKUk6bJv0UntR8OjVaReRFtMnL7P5yAXg==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r22 header.b=EWkwoL77;
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none);
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Spam-Score: 3.61
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r22 header.b=EWkwoL77;
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none);
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Queue-Id: B31E9212E1
X-Spam-Score: 3.61
X-Migadu-Scanner: scn0.migadu.com
X-TUID: l6ln5v/0fAwS


--=-1Uu4wKWSQTaYI/eTTWOJ
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

( schreef op zo 12-06-2022 om 14:13 [+0100]:
> Seems a little risky just to avoid packaging one fork

It's not about _one_ fork, it's about forks in general.
And wasn't it backwards compatible?  And no need the slightly risky
=E2=80=98point the go-golang-org-x-crypto package at protonmail=E2=80=99 if=
 it is
upstreamed instead.

> Anyway, I think it'd probably just drive people even further away
> from distribution package management towards the "modern" (read:
> insecure, bloated, and inherently flawed) stuff like Docker and
> Flatpak.

At some point, if people shoot theirselves in the foot by being misled
by other projects, that's not something Guix can help with avoiding I
think.  (Unless someone wants to start an awareness campaign?)

Anyway, I don't follow -- your proposal is to include all the forks
where used by upstream, which leads to insecurity because:

  * more packages -> more complexity -> more difficult to do changes
  * more packages -> more packages that can be out-of-date
  * more forks -> more forks that might be unmaintained and hence be at
    risk of being known-insecure by attackers without an update
    available
  * more packages -> more packages that need to be updated -> less time
    for structural improvement on security
  * more packages -> more opportunity for malware to enter.

and also:

  * more packages that +- do the same thing -> bloat

So from here, the proposal implies making packaging in Guix worse in
some aspects, such that people don't use other system's that are bad in
the same aspects ...  I don't think it's a good idea to start a =E2=80=98ra=
ce
to the bottom=E2=80=99 [0].

[0] https://en.wikipedia.org/wiki/Race_to_the_bottom

Greetings,
Maxime.

--=-1Uu4wKWSQTaYI/eTTWOJ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYqXw0hccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7iTWAP4hTOGSwH6jp5rzjH2m2KxKkZcs
gEbcSFDyu/dgzflKgwD/as6S/emLYONgxypI4kAhuD5EcXprmGIy5ic70ZAX3QI=
=B/K4
-----END PGP SIGNATURE-----

--=-1Uu4wKWSQTaYI/eTTWOJ--