Automatically testing package updates

[Ludovic Courtès]

Hello Guix!

A new patch series that has just landed¹ adds a ‘--dependents’ flag (and
also ‘--development’) to ‘guix build’, which makes it easier to build
dependents when modifying a package.

It also adds ‘etc/upgrade-manifest.scm’, a manifest that grabs and
returns the latest upstream version of a few security-critical packages.
More precisely, it returns two things:

  1. Individual package updates.  Update each of libgcrypt, libgit2,
     etc. independently and return the updated packages together with
     their direct dependents.

  2. Joint package updates.  Update all these packages at once and
     return their dependents at distance two.

The result can be seen here (x86_64-linux only):

  https://ci.guix.gnu.org/jobset/security-updates

You can go to the dashboard:

  https://ci.guix.gnu.org/eval/latest/dashboard?spec=security-updates

… and type, for example, “latest-libgpg-error” (to view the libgpg-error
update and its dependents) or “full-upgrade” (to view all the dependents
of that set of packages).

Some examples:

  • guile-ssh fails to build with the latest libssh:
    <https://ci.guix.gnu.org/build/6753990/log>.

  • libgcrypt cannot be upgraded without libgpg-error:
    <https://ci.guix.gnu.org/build/6754153/log>.

  • libgcrypt 1.11.0 builds fine when upgraded jointly with its
    dependents: <https://ci.guix.gnu.org/build/6754305/details>

  • gnutls 3.8.8 has one test failure:
    <https://ci.guix.gnu.org/build/6753571/log>.

  • curl 8.11.0 has one test failure:
    <https://ci.guix.gnu.org/build/6753884/log>.

This manifest is just an example.  We could come up with manifests
targeting package collections like CRAN packages, astronomy packages,
and so on.

Feedback welcome!

Ludo’.

¹ https://issues.guix.gnu.org/74542