unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
blob 8136b8f8d49a92a0bea8de90f05ff5a5520abf87 5629 bytes (raw)
name: etc/manifests/upgrade.scm 	 # note: path name is non-authoritative(*)

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
 
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2024 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

;; This manifest computes upgrades of key packages using updaters from (guix
;; upstream) and supporting code for the 'with-latest' transformation.

(use-modules (guix memoization)
             (guix monads)
             (guix graph)
             (guix packages)
             (guix profiles)
             (guix store)
             (guix transformations)
             (guix upstream)
             ((guix scripts build) #:select (dependents))
             ((guix scripts graph) #:select (%bag-node-type))
             ((guix import github) #:select (%github-api))
             (guix build-system gnu)
             (guix build-system cmake)
             ((gnu packages)
              #:select (all-packages specification->package))

             (gnu packages backup)
             (gnu packages curl)
             (gnu packages freedesktop)
             (gnu packages gnupg)
             (gnu packages ssh)
             (gnu packages tls)
             (gnu packages xorg)

             (ice-9 match)
             (srfi srfi-1))

;; Bypass the GitHub updater: we'd need an API token or we would hit the rate
;; limit.
(%github-api "http://example.org")

(define security-packages
  (list xorg-server
        elogind

        openssl
        gnutls
        curl
        curl-ssh

        libarchive
        libssh

        ;; Since there are several libgit2 versions, pick the latest one and
        ;; compute the upgrade against that one.
        (specification->package "libgit2")

        ;; GnuPG.
        libassuan
        libgpg-error
        libgcrypt
        libksba
        npth
        gnupg
        gpgme
        pinentry))

(define latest-version
  (mlambdaq (package)
    (package-with-upstream-version package
                                   ;; Preserve patches and snippets to get
                                   ;; exactly the same as what we'd have with
                                   ;; 'guix refresh -u PACKAGE'.
                                   #:preserve-patches? #t

                                   ;; XXX: Disable source code authentication:
                                   ;; this requires a local keyring, populated
                                   ;; from key servers, but key servers may be
                                   ;; unreliable or may lack the upstream
                                   ;; keys.  Leave it up to packagers to
                                   ;; actually authenticate code and make sure
                                   ;; it matches what this manifest computed.
                                   #:authenticate? #f)))

(define individual-security-upgrades
  ;; Upgrades of individual packages with their direct dependents built
  ;; against that upgrade.
  (manifest
   (with-store store
     (append-map (lambda (package)
                   (let* ((name (package-name package))
                          (newest (latest-version package))
                          (update (package-input-rewriting
                                   `((,package . ,newest)))))
                     (map (lambda (package)
                            (manifest-entry
                              (inherit (package->manifest-entry
                                        (update package)))
                              (name (string-append (package-name package)
                                                   "-with-latest-" name))))
                          (dependents store (list package) 1))))
                 security-packages))))

(define joint-security-upgrades
  ;; All of SECURITY-PACKAGES updated at once, together with their dependents.
  (manifest
   (with-store store
     (let ((update-all (package-input-rewriting
                        (map (lambda (package)
                               `(,package . ,(latest-version package)))
                             security-packages)
                        #:recursive? #t)))
       (map (lambda (package)
              (manifest-entry
                (inherit (package->manifest-entry
                          (update-all package)))
                (name (string-append (package-name package) "-full-upgrade"))))
            (dependents store security-packages 2))))))

;; Install a UTF-8 locale so that file names in Git checkouts are interpreted
;; as UTF-8 (the libgit2 source tree contains non-ASCII file names, for
;; instance).  XXX: This works around the fact that 'cuirass register' and
;; thus 'cuirass evaluate' may not be running with a UTF-8 locale.
(unless (string-suffix? ".UTF-8" (setlocale LC_ALL))
  (or (false-if-exception (setlocale LC_ALL "C.UTF-8"))
      (false-if-exception (setlocale LC_ALL "en_US.UTF-8"))
      (format (current-error-port) "warning: failed to install UTF-8 locale~%")))

(concatenate-manifests
 (list individual-security-upgrades joint-security-upgrades))

debug log:

solving 8136b8f8d4 ...
found 8136b8f8d4 in https://yhetil.org/guix-patches/e0901d4ef227f34b0014232bea72555f2720488d.1734279715.git.ludo@gnu.org/
found 03a7d6d319 in https://git.savannah.gnu.org/cgit/guix.git
preparing index
index prepared:
100644 03a7d6d319ef863e87126ad1b353cb63982fd579	etc/manifests/upgrade.scm

applying [1/1] https://yhetil.org/guix-patches/e0901d4ef227f34b0014232bea72555f2720488d.1734279715.git.ludo@gnu.org/
diff --git a/etc/manifests/upgrade.scm b/etc/manifests/upgrade.scm
index 03a7d6d319..8136b8f8d4 100644

Checking patch etc/manifests/upgrade.scm...
Applied patch etc/manifests/upgrade.scm cleanly.

index at:
100644 8136b8f8d49a92a0bea8de90f05ff5a5520abf87	etc/manifests/upgrade.scm

(*) Git path names are given by the tree(s) the blob belongs to.
    Blobs themselves have no identifier aside from the hash of its contents.^

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).