ng0 transcribed 2.4K bytes: > Marius Bakke transcribed 1.4K bytes: > > Leo Famulari writes: > > > > > On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote: > > >> Side note: I think we should start adding patches as origins instead of > > >> copying them wholesale, to try and keep the git repository slim. > > > > > > We should make a git-minimal package for things like this, or use > > > guile-git / libgit2. Git itself is a very "heavy" package. > > > > No, I mean adding patches like this: > > > > (define %CVE-1970-0001.patch > > (origin > > (method url-fetch) > > (uri "https://example.com/CVE-2017-0001.patch") > > (sha256 > > (base32 > > "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k")))) > > > > (package > > (... > > (patches (list (search-patch "guix-specific-stuff.patch") > > %CVE-1970-0001.patch))) > > > > That only requires the built-in guix downloader. > > I think we should reduce connections we have to make > and assume that patches could disappear. > I keep patches and sources around in offline and > online ways because of this. If a source should > disappear I could fall back to my storage. > > For cases like our icecat the patches are already > fetched because they come directly from the upstream > repository as far as I remember. That's okay. Actually in cases of cgit, github, gitlab, and maybe some other git focused web instances we can do what icecat does or just use URLs like: https://git.gnome.org/browse/libxml2/snapshot/libxml2-92b9e8c8b3787068565a1820ba575d042f9eec66.tar.xz I think it's okay to fetch CVE patches like this because they come directly from upstream commits and we know the hash of the file. -- ng0 GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 GnuPG: https://n0is.noblogs.org/my-keys https://www.infotropique.org https://krosos.org