From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Vong Subject: Re: Fetching patches as origins instead of copying them into the Guix Git repo Date: Sun, 03 Sep 2017 01:09:32 +0800 Message-ID: <87tw0l3u43.fsf@gmail.com> References: <87inh5uqpd.fsf@gmail.com> <87inh4lw7y.fsf@fastmail.com> <87y3q0ow9h.fsf@gmail.com> <87k21jjyzy.fsf@fastmail.com> <20170831213806.GA22308@jasmine.lan> <87shg7l812.fsf@fastmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:59812) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1doBvX-0001sU-LP for guix-devel@gnu.org; Sat, 02 Sep 2017 13:09:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1doBvS-0005vN-NT for guix-devel@gnu.org; Sat, 02 Sep 2017 13:09:47 -0400 Received: from mail-pg0-x22e.google.com ([2607:f8b0:400e:c05::22e]:38281) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1doBvS-0005uz-I6 for guix-devel@gnu.org; Sat, 02 Sep 2017 13:09:42 -0400 Received: by mail-pg0-x22e.google.com with SMTP id b8so8380185pgn.5 for ; Sat, 02 Sep 2017 10:09:42 -0700 (PDT) In-Reply-To: <87shg7l812.fsf@fastmail.com> (Marius Bakke's message of "Thu, 31 Aug 2017 23:52:25 +0200") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Marius Bakke Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Marius Bakke writes: > Leo Famulari writes: > >> On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote: >>> Side note: I think we should start adding patches as origins instead of >>> copying them wholesale, to try and keep the git repository slim. >> >> We should make a git-minimal package for things like this, or use >> guile-git / libgit2. Git itself is a very "heavy" package. > > No, I mean adding patches like this: > > (define %CVE-1970-0001.patch > (origin > (method url-fetch) > (uri "https://example.com/CVE-2017-0001.patch") > (sha256 > (base32 > "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k")))) > > (package > (... > (patches (list (search-patch "guix-specific-stuff.patch") > %CVE-1970-0001.patch))) > > That only requires the built-in guix downloader. Are you suggesting we should download the patch directly from upstream or security advisory if they provide it and fall back to copying if they don't? --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlmq5cwACgkQxYq4eRf1 Ea4EIQ/+MwVadXLaLavJ82I7wdJ81+4GhQF/dWED6K5UtlVTaH/TXAAPbTeCp1o6 jCvz9BXTE7BWEIxwrQ2s/F0VcpIVx8D/4h/da6J4PaXRzqpP4Mo9NWRu218K5dO5 qQ8MnTTPqtK2IEmssRHNktA19BrNRo0iAvGrZbDLi9L4XhJj1ZUDqh9orXiuTZNM qeceCECpUkWryqpTy2AUEovbo3Xk4MnmMoXfBhiTqUzQANVoS0NLpsh/aJ7jYM+E GlYr8QL+89efWcMhXVW636UlIGLTkIXNeUudT51b67jDmEuPc/bj0d5yugY2WGA/ rejBNzpaJuYnAau4tzwvoyCCLzcSgyUUEHmDlASUd44TIYhyvvBSsLfmZT1qssRk PJtK8x4Mm/mp926tbaaOrfWPxlR/+JUuOR0cfK99kWvW1/Qt3KwifY+S81Hqg7TD 9Eg5JV8XkgxeL5kufzdL7EsMw2MchaUaqIwOKn5U+gZ6WPn+H+tAC7Cslq51f8jA m7SZbCRxSavl9c27UnWZ4Diu05+6DAh6Aysf0s7w+9eCP7Wc03tZgL+5AYruaIuS WD2oFIEbQuVDCCd4OigP/h7E52+YjWv4PNVe6ryCkZhfnaZwC48uO4jkBOKOnrKU qXcREks2BS+OlDo/avnGB9z5v52QXIBHvVpuJPQc5WUH0Nrkomw= =Wvgv -----END PGP SIGNATURE----- --=-=-=--