Re: Fetching patches as origins instead of copying them into the Guix Git repo

[ng0]

ng0 transcribed 2.4K bytes:
> Marius Bakke transcribed 1.4K bytes:
> > Leo Famulari <address@hidden> writes:
> > 
> > > On Thu, Aug 31, 2017 at 09:52:49PM +0200, Marius Bakke wrote:
> > >> Side note: I think we should start adding patches as origins instead of
> > >> copying them wholesale, to try and keep the git repository slim.
> > >
> > > We should make a git-minimal package for things like this, or use
> > > guile-git / libgit2. Git itself is a very "heavy" package.
> > 
> > No, I mean adding patches like this:
> > 
> > (define %CVE-1970-0001.patch
> >   (origin
> >     (method url-fetch)
> >     (uri "https://example.com/CVE-2017-0001.patch";)
> >     (sha256
> >      (base32
> >       "12c60iwxyc3rj6ih06a1g80vmkf8khvhm44xr9va4h21b74v8f5k"))))
> > 
> > (package
> >  (...
> >   (patches (list (search-patch "guix-specific-stuff.patch")
> >                  %CVE-1970-0001.patch)))
> > 
> > That only requires the built-in guix downloader.
> 
> I think we should reduce connections we have to make
> and assume that patches could disappear.
> I keep patches and sources around in offline and
> online ways because of this. If a source should
> disappear I could fall back to my storage.
> 
> For cases like our icecat the patches are already
> fetched because they come directly from the upstream
> repository as far as I remember. That's okay.

Actually in cases of cgit, github, gitlab, and maybe
some other git focused web instances we can do what
icecat does or just use URLs like:
https://git.gnome.org/browse/libxml2/snapshot/libxml2-92b9e8c8b3787068565a1820ba575d042f9eec66.tar.xz
I think it's okay to fetch CVE patches like this
because they come directly from upstream commits
and we know the hash of the file.
-- 
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://n0is.noblogs.org/my-keys
https://www.infotropique.org https://krosos.org

signature.asc
Description: PGP signature