Marius Bakke <mbakke@fastmail.com> writes:

> Leo Famulari <leo@famulari.name> writes:
>
>> On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote:
>>> Side note: I think we should start adding patches as origins instead of
>>> copying them wholesale, to try and keep the git repository slim.
>>
>> We should make a git-minimal package for things like this, or use
>> guile-git / libgit2. Git itself is a very "heavy" package.
>
> No, I mean adding patches like this:
>
> (define %CVE-1970-0001.patch
>   (origin
>     (method url-fetch)
>     (uri "https://example.com/CVE-2017-0001.patch")
>     (sha256
>      (base32
>       "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k"))))
>
> (package
>  (...
>   (patches (list (search-patch "guix-specific-stuff.patch")
>                  %CVE-1970-0001.patch)))
>
> That only requires the built-in guix downloader.

Are you suggesting we should download the patch directly from upstream
or security advisory if they provide it and fall back to copying if they
don't?