feature request/idea: guix pull --news should show information about new package replacements

Jack Hill wrote on 7 Apr 2020 03:17

Recipients:(address . bug-guix@gnu.org)

Message-ID:alpine.DEB.2.20.2004062100080.5735@marsh.hcoop.net

Hi Guix,

I'm an avid reader of `guix pull --news`. I like learning about new and

updated software. However, I noticed that when a package gains a new

replacement (e.g. for a security fix via grafting), it is not mentioned.

We do not show all changes to package definitions in the new, but since a

new replacement is often for a security fix, I think it is significant

enough to warrant showing in the news. I'm imagining something like:

"""

n packages with new replacements: gnutls, …

"""

or perhaps:

"""

n packages with new grafts: libxml, …

"""

I haven't yet though about the implementation of this. I would want to

avoid doing too much extra work for `guix pull --news`.

What do you think?

Best,

Jack

Ludovic Courtès wrote on 7 Apr 2020 11:54

Recipients:(name . Jack Hill)(address . jackhill@jackhill.us)(address . 40478@debbugs.gnu.org)

Message-ID:87y2r7aaen.fsf@gnu.org

Hi,

Jack Hill <jackhill@jackhill.us> skribis:

Toggle quote (23 lines)> I'm an avid reader of `guix pull --news`. I like learning about new
> and updated software. However, I noticed that when a package gains a
> new replacement (e.g. for a security fix via grafting), it is not
> mentioned. We do not show all changes to package definitions in the
> new, but since a new replacement is often for a security fix, I think
> it is significant enough to warrant showing in the news. I'm imagining
> something like:
>
> """
> n packages with new replacements: gnutls, …
> """
>
> or perhaps:
>
> """
> n packages with new grafts: libxml, …
> """
>
> I haven't yet though about the implementation of this. I would want to
> avoid doing too much extra work for `guix pull --news`.
>
> What do you think?

I think it’s a great idea!

It would be even better if the message were higher-level:

The following security issues were fixed:

CVE-XYZ (gnutls), CVE-123 (icecat), etc.

The (guix cve) module would come in handy but it would be hard to

implement efficiently, I think.

Ludo’.

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 40478@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date