[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Fetching patches as origins instead of copying them into the Guix Gi
|
From: |
Marius Bakke |
|
Subject: |
Re: Fetching patches as origins instead of copying them into the Guix Git repo |
|
Date: |
Mon, 04 Sep 2017 20:47:16 +0200 |
|
User-agent: |
Notmuch/0.25 (https://notmuchmail.org) Emacs/25.2.1 (x86_64-unknown-linux-gnu) |
Alex Vong <address@hidden> writes:
> Marius Bakke <address@hidden> writes:
>
>> Leo Famulari <address@hidden> writes:
>>
>>> On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote:
>>>> Side note: I think we should start adding patches as origins instead of
>>>> copying them wholesale, to try and keep the git repository slim.
>>>
>>> We should make a git-minimal package for things like this, or use
>>> guile-git / libgit2. Git itself is a very "heavy" package.
>>
>> No, I mean adding patches like this:
>>
>> (define %CVE-1970-0001.patch
>> (origin
>> (method url-fetch)
>> (uri "https://example.com/CVE-2017-0001.patch";)
>> (sha256
>> (base32
>> "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k"))))
>>
>> (package
>> (...
>> (patches (list (search-patch "guix-specific-stuff.patch")
>> %CVE-1970-0001.patch)))
>>
>> That only requires the built-in guix downloader.
>
> Are you suggesting we should download the patch directly from upstream
> or security advisory if they provide it and fall back to copying if they
> don't?
Yes, indeed; sorry for the crude explanation. Fetching instead of
copying serves two purposes: saves size in the guix repository, and
removes the need to verify patches manually as you only have to trust
their origin.
I sent an example here: <https://bugs.gnu.org/28330#11>.
signature.asc
Description: PGP signature