Timotej Lazar writes: > Thanks for the feedback! I am sending updated patches after this reply. > > Christopher Baines [2020-01-25 09:16:08+0000]: >> I did have a look if the package builds with the mbedtls-apache >> package, rather than using the included source code, and it looks to. >> Although I'm aware that [1] says there are modifications. > > The two Godot patches for mbedtls don’t seem to be relevant to Guix, so > I replaced the bundled copy with the mbedtls-apache package. I don’t > have a use case to test this, but the minimal example from the > HTTPRequest tutorial seems to work OK with an HTTPS URI. Wonderful :) > Christopher Baines [2020-01-25 09:18:33+0000]: >> One thought I had here is that it would be more rigorous to have a list >> of directories that are kept, and anything not on the list is deleted. >> That way it's harder for new thirdparty dependencies to sneak in. > > Makes sense. As you suggest, I flipped the logic for removing thirdparty > files: whitelist preserved files and remove everything else. The snippet > can only preserve direct children of the thirdparty/ directory, which > keeps it simple but perhaps not flexible enough in the long run. Great, this looks really useful. > Do we generally prefer whitelisting bundled files? Most packages I have > seen (and written) do the opposite and list the files to remove. Maybe > we could add a guideline somewhere? Or point me to the one I missed. :) I don't know if it's written down somewhere, all I can say is it occurred to me when looking at the package definition. I've pushed the 3 latest patches you sent to master, so they're included in 18f8e935e85a99d5c284c0a6b719351a402ada21. Thanks, Chris