From debbugs-submit-bounces@debbugs.gnu.org Tue May 15 03:25:11 2018 Received: (at 31444) by debbugs.gnu.org; 15 May 2018 07:25:11 +0000 Received: from localhost ([127.0.0.1]:34874 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fIUKd-0005hl-55 for submit@debbugs.gnu.org; Tue, 15 May 2018 03:25:11 -0400 Received: from eggs.gnu.org ([208.118.235.92]:58723) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fIUKb-0005hZ-OD for 31444@debbugs.gnu.org; Tue, 15 May 2018 03:25:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fIUKT-0000Nw-GY for 31444@debbugs.gnu.org; Tue, 15 May 2018 03:25:04 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20 autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:56741) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fIUKT-0000No-CH; Tue, 15 May 2018 03:25:01 -0400 Received: from [193.50.110.240] (port=56074 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1fIUKS-0008Uu-Tu; Tue, 15 May 2018 03:25:01 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Nils Gillmann Subject: Re: [bug#31444] 'guix health': a tool to report vulnerable packages References: <87fu2vjj76.fsf@gnu.org> <20180514164941.kjokoakkooajpunx@abyayala> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 26 =?utf-8?Q?Flor=C3=A9al?= an 226 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 15 May 2018 09:24:59 +0200 In-Reply-To: <20180514164941.kjokoakkooajpunx@abyayala> (Nils Gillmann's message of "Mon, 14 May 2018 16:49:41 +0000") Message-ID: <87y3gljs8k.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 31444 Cc: 31444@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) Hi! Nils Gillmann skribis: > Did you intend to attach a patch to one of the 3 or 4 messages that made > it to the bugtracker? I've checked when you've sent the message and today > and saw no patches. I'm interested in the code, the general idea sounds g= ood. They eventually made it there: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D31442 But Debbugs is weird; for some reason for it failed to reply for several hours. >> I think that longer-term we probably need to attach this kind of >> meta-data to packages themselves, by adding a bunch of files in each >> package, say under PREFIX/guix. We could do that for search paths as >> well. > > If you mean with metadata what I understand: > I've started playing with this idea a while back. It would be good to att= ach > more information to the package, mentioned in the past was "support the d= evelopers" > links (not everyone publishes this on their website). > Personally I'm going to make use of the "maintainer" function for package= s, > so people know where (hopefully relatively) exactly the package came from. Well this is not the kind of meta-data I had in mind, and for that I think a field in is good enough. > Anyways, I have some other package related experiments.. Did you have any= thing > else in mind, other than search-paths and CVE information? Not really, but that would be extensible. The bigger picture is that of packages that would remain live data structures, as Ricardo proposed a while back. I don=E2=80=99t think we can= go this far (in the sense of being able to reconstruct a from its output), but having some metadata kept around can help. Thanks, Ludo=E2=80=99.