Andy Wingo skribis: > * guix/potluck/environment.scm: New file. > * Makefile.am (MODULES): Add new files. > * guix/potluck/packages.scm (make-potluck-sandbox-module) > (eval-in-sandbox): New helpers. > (load-potluck-package): New public function. [...] > + ((getenv "GUIX_POTLUCK_NO_SANDBOX") > + (warn "No sandbox available; be warned!!!") Perhaps this should use ‘warning’ from (guix ui). > +;; Because potluck package definitions come from untrusted parties, they need > +;; to be sandboxed to prevent them from harming the host system. > +(define* (load-potluck-package file #:key > + (time-limit 1) > + (allocation-limit 50e6)) > + "Read a sequence of Scheme expressions from @var{file} and evaluate them in > +a potluck sandbox. The result of evaluating that expression sequence should > +be a potluck package. Any syntax error reading the expressions or run-time > +error evaluating the expressions will throw an exception. The resulting > +potluck package will be validated with @code{validate-potluck-package}." Could you add a couple of tests in tests/potluck-package.scm for this part, or maybe for ‘eval-in-sandbox’? Otherwise LGTM, thank you! Ludo’.