From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alex Kost <alezost@gmail.com>
Subject: Re: [PATCH 2/4] emacs: Add 'guix-devel-download-package-source'.
Date: Tue, 06 Oct 2015 18:11:42 +0300
Message-ID: <87a8rwf2vl.fsf@gmail.com>
References: <1443791046-1015-1-git-send-email-alezost@gmail.com>
	<1443791046-1015-3-git-send-email-alezost@gmail.com>
	<87d1wvadw2.fsf@gnu.org> <87bnceah2e.fsf@gmail.com>
	<87r3la6077.fsf@gnu.org> <87eghalc7s.fsf@gmail.com>
	<87wpv1tils.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51799)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <alezost@gmail.com>) id 1ZjTu8-0001Hx-3P
	for guix-devel@gnu.org; Tue, 06 Oct 2015 11:11:53 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <alezost@gmail.com>) id 1ZjTu4-0002zW-Fd
	for guix-devel@gnu.org; Tue, 06 Oct 2015 11:11:48 -0400
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: guix-devel@gnu.org

Ludovic Court=C3=A8s (2015-10-05 18:55 +0300) wrote:

> Alex Kost <alezost@gmail.com> skribis:
>
>> Ludovic Court=C3=A8s (2015-10-04 19:57 +0300) wrote:
>>
[...]
>>> In that case, I would suggest something based on the URL at point rather
>>> than the origin at point.
>>
>> It's neither URL at point, nor origin at point: it's like "C-c . b" but
>> to download the source of the current package definition instead of
>> building it.
>>
>> Also I don't understand how it can be based on the URL at point as
>> instead of the full URL, we have something like this:
>>
>>   (uri (string-append "http://.../foo-" version ".tar.xz"))
>>
>> So currently to use "guix download", at first you need to manually
>> construct the full URL.  I find this inconvenient, that's why I want to
>> have a command to download a source of the current package and to
>> display its hash.
>
> Yes, that make sense.
>
> The problem I had in mind was that, when writing a new package
> definition from scratch, you don=E2=80=99t know the SHA256 yet, but =E2=
=80=98sha256=E2=80=99 is
> a required field of =E2=80=98origin=E2=80=99.  So one would have to write=
 a fake
> =E2=80=98sha256=E2=80=99 value just for the sake of being able to use tha=
t feature,
> which seems odd to me.
>
> See what I mean?  How would you handle such a case?

I don't see a problem here, since a fake sha256 may be any string, for
example "" (an empty string).  Also I believe people begin to write a
new package from some template, so you have a working skeleton of future
package with all required fields from the very beginning.  Then after
filling an origin 'uri', you could "C-c . s" to download the source and
get its hash.

>>> However, if this is =E2=80=9Ctoo convenient=E2=80=9D, I=E2=80=99m afrai=
d this would give an
>>> incentive to not check OpenPGP signatures when they are available.
>>
>> Sorry, I have no idea what it means :-(
>
> When upstream digitally signs its source code tarballs, packagers should
> check those signatures to authenticate the code they have.
>
> If the tool makes it too easy to fill out the =E2=80=98sha256=E2=80=99 fi=
eld without
> going through the trouble of downloading the =E2=80=98.sig=E2=80=99 file =
and checking
> it, then people will have an incentive not to check those signatures.

Oh, now I see what you mean.  Well, I don't know, I think if a user has
a habbit to check a signature, he will check it anyway; and if not, then
not.  Besides, at first a packager needs to find an URL of the source
tarball, so he will meet a signature anyway, if it exists.  So it's up
to him if he checks it or not.

(I confess that I never check signatures)

>>>> At first I also thought about building a package source and then to
>>>> calculate the hash of the store file, but this way will lead to the
>>>> wrong hashes for "snippet"-ed origins.  Or do I miss anything?
>>>
>>> Well, I think bindings for =E2=80=98package-source-derivation=E2=80=99 =
would also be
>>> useful, but IIUC this is not what you had in mind.
>>
>> If you mean to make a command to build the current package source, it
>> can be done, although I don't see how it can be useful.
>
> It=E2=80=99s occasionally useful, similar to =E2=80=98guix build -S=E2=80=
=99 or the =E2=80=9CShow=E2=80=9D
> button in package info buffers, except that it would operate directly on
> the package at point.
>
> WDYT?

Indeed, I agree.  So if you don't mind the =E2=80=9Cdownload=E2=80=9D comma=
nd, then
since there will be 2 commands for working with the source of the
current package, what about the following key bindings for them:

"C-c . s d" - to download the source (to know its hash)
"C-c . s b" - to build it

--=20
Alex