From mboxrd@z Thu Jan  1 00:00:00 1970
From: Christopher Baines <mail@cbaines.net>
Subject: Tracking and inspecting how Guix changes over time
Date: Fri, 08 Feb 2019 13:20:39 +0000
Message-ID: <87k1ia5sd4.fsf@cbaines.net>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([209.51.188.92]:53826)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mail@cbaines.net>) id 1gs65M-00028N-Qk
	for guix-devel@gnu.org; Fri, 08 Feb 2019 08:20:54 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mail@cbaines.net>) id 1gs65L-0002HM-DS
	for guix-devel@gnu.org; Fri, 08 Feb 2019 08:20:52 -0500
Received: from li622-129.members.linode.com ([212.71.249.129]:40100
	helo=mira.cbaines.net) by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mail@cbaines.net>) id 1gs65L-00028D-3g
	for guix-devel@gnu.org; Fri, 08 Feb 2019 08:20:51 -0500
Received: from localhost (cpc102582-walt20-2-0-cust14.13-2.cable.virginm.net
	[86.27.34.15])
	by mira.cbaines.net (Postfix) with ESMTPSA id B554616BC7
	for <guix-devel@gnu.org>; Fri,  8 Feb 2019 13:20:43 +0000 (GMT)
Received: from capella (localhost [127.0.0.1])
	by localhost (OpenSMTPD) with ESMTP id e3f047d6
	for <guix-devel@gnu.org>; Fri, 8 Feb 2019 13:20:43 +0000 (UTC)
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

In summary, I've started playing around with a new service, I'm
currently calling it the "Guix Data Service". The code is here [1], it's
based off of Ricardo's excellent Mumi, and at the moment only does one
thing, a basic comparison of two different versions (commits) of Guix
for the few commits it has data for. I've got it up and running here
[2].

1: https://git.cbaines.net/guix/data-service/
2: https://prototype-guix-data-service.cbaines.net/

This follows on from the work around reviewing patches for Guix, at the
moment, I've setup Patchwork [3] to gather up patches sent to
guix-patches, Laminar [4] to apply those patches to the Guix master
branch and then push the resulting changes to a git repository [5].

3: https://patchwork.cbaines.net/project/guix-patches/list/
4: https://laminar.cbaines.net/
5: https://git.cbaines.net/guix/patches/

To get to the point where as part of some automated review process,
packages affected by patch series can be built, and then the results of
this compared with the previous state in Guix, it's necessary to
understand if the packages currently build successfully, and then you
need to check if those same packages build with the patches applied.

This is what I'm attempting to work towards with this new service. You
give it a commit and a repository URL. It then fetches that revision of
Guix using the same mechanism as guix pull, and extracts the information
about packages through the Guix inferiors code. This information about
packages is then stored in the database.

For querying, you provide two commits, and the comparison is generated
from the information stored in the database. It displays new packages,
removed packages, packages where the available versions have changed,
and then "Other changed packages" which are ones where the metadata
(synopsis, description, home-page, ...) or derivation has changed.

I've hooked this up to Patchwork and Laminar, so you can see some
initial data in the following 3 examples.

The following links relate to a couple of patches affecting the Ruby
build system.

Issue:            https://issues.guix.info/issue/34385
Patchwork series: https://patchwork.cbaines.net/project/guix-patches/list/?=
series=3D535
Laminar job:      https://laminar.cbaines.net/jobs/patchwork-test-series/889
Git commits:      https://git.cbaines.net/guix/patches/log/?h=3Dseries-535-=
version-1&qt=3Drange&q=3Dbase-for-series-535-version-1..series-535-version-1
Comparison:       https://prototype-guix-data-service.cbaines.net/compare?b=
ase_commit=3D6fd72f7094885dc3dbb10431996c445251094915&target_commit=3D7d70e=
05d7064f31a8de60b04d22ac16c1953b7a9

The following links relate to some printing changes in Gnome.

Issue:            https://issues.guix.info/issue/34240
Patchwork series: https://patchwork.cbaines.net/project/guix-patches/list/?=
series=3D482
Laminar job:      https://laminar.cbaines.net/jobs/patchwork-test-series/886
Git commits:      https://git.cbaines.net/guix/patches/log/?h=3Dseries-482-=
version-1&qt=3Drange&q=3Dbase-for-series-482-version-1..series-482-version-1
Comparison:       https://prototype-guix-data-service.cbaines.net/compare?b=
ase_commit=3Dbc041b3e264380bd49025515d3c5d11319aa3f50&target_commit=3De3960=
76117623efb6351b845ec61b4572457c3e0

The following links relate to some new Ruby packages.

Issue:            https://issues.guix.info/issue/34217
Patchwork series: https://patchwork.cbaines.net/project/guix-patches/list/?=
series=3D474
Laminar job:      https://laminar.cbaines.net/jobs/patchwork-test-series/887
Git commits:      https://git.cbaines.net/guix/patches/log/?h=3Dseries-474-=
version-1&qt=3Drange&q=3Dbase-for-series-474-version-1..series-474-version-1
Comparison:       https://prototype-guix-data-service.cbaines.net/compare?b=
ase_commit=3Dbc041b3e264380bd49025515d3c5d11319aa3f50&target_commit=3D0645e=
6beb8c1a8818c3764a42dcc8598c8711e7b


So, in terms of reviewing patches, I don't think this isn't actually
that helpful, yet. I would guess that it's still more useful to look at
the actual patches.

However, I think this kind of information could be useful in the future,
for example checking that patches that shouldn't affect any derivations
indeed don't, or providing a more general way of assessing the number of
rebuilds that a patch series would cause.

I've also gone with this very general approach of a service to handle
data relating to Guix, as I think it could be useful for purposes other
than reviewing patches, assessing security issues for example.

In terms of building the packages that correspond to patches, one way
forward that I have in mind is to somehow get a Cuirass instance to
build the branch corresponding to a patch series. Then, work out what
packages have been affected by querying the "Guix Data Service". Then
query Cuirass to work out if those affected packages built before the
changes, and also if they build with the patches applied.

Going back to this new service though, I've hooked it up to the
patchwork-test-series [6] job in Laminar. It enqueues a job to load the
data for the "base" commit, the one the patches are being applied to,
and then echo's the URL to use to compare the two
commits. Unfortunately, this URL won't work for the following reason...

6: https://laminar.cbaines.net/cfg/jobs/patchwork-test-series.run

Currently, I'm only enqueuing the base commit, as I'm a little concerned
about the security implications of effectively running guix pull on Guix
with the patches applied. For the examples above, I've manually enqueued
the commit resulting from the patches being applied.

As far as I can see, guix pull/the channels code directly evaluates some
Guile code from the source repository. It would be great if this could
somehow be isolated to guard against any malicious patches that try to
attack the machine running the Guix Data Service, I haven't thought much
about how yet.

Similarly, using the inferiors approach to extract out information from
Guix requires running a REPL from the target Guix. This could also pose
security issues. I was wondering if it was possible to run the REPL
within a container, to at least isolate it a bit from the system.

One other point is that while I've gone with the "web service" approach
here, I think it would be very useful to have a "guix compare" command
that did something similar.

Anyway, this email has got far too long. Any thoughts, just let me know,

Thanks,

Chris

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAlxdgidfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE
9XcwjhAAiKy/MPnh6Pi8zkGF7t/8mYKLr/hIXa+m/6ClR5cwUu0Aw6mUVwNFWOLS
ILaoSHK2/6X29rXp/Kr5Ke06vvO47pXpNIca/it+H2N0nph0ZiuLiNDRHkybIsuc
8f6v+Xui1ihjCRvk35om0pxz0gngxmcTkIrY5b+b8nNKmvPjp6sntE1ydC38+Yoi
74+LiYDcHLN3sEXyxYC5jnGQwWAfWIbPg6XB9QiaWGsP38IWFWL6NB7MBWyIveVX
GIOSaEte8mrjEWJShvU+vteqDpiUANjmzRsjMEZKwCOC5iY7I1MMkQoKCkUaNbvf
GU+qaEOrvW1cqynL/IdQYdoGG+uR/MIRHFVkDnIE+ktmgMyvVuhgGdv1KwzDe616
tzaa4vhShq3sGHm0l9ckuOamBdCwmkHBw6WoQvxLBVW4SXLRggnflUMvY17IVWl2
/uMW//9qNyTfzwFUjQYiE18pnidHgVzSkocyEm8nk2urbyG6aFGPaJf7C463n7zu
F7oja/4D8V4uF2XCl1NfbmF1rn2WnOLeOqwSS1Lm6HurVgUOca9xjRyq7ivzDCKx
pHAhRDMSDaWDr9z+4rJopU2yRKERsWeoVP7eqyGbmeKyZQI41xU5MYRWXAE5IKX1
EUdg1t2pAi9+/mgyGMOL8IoYcsHAhrc3gXddBXqHU4SzLl4XDFM=
=FMcV
-----END PGP SIGNATURE-----
--=-=-=--