From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 22 04:16:30 2023 Received: (at 61363) by debbugs.gnu.org; 22 Feb 2023 09:16:30 +0000 Received: from localhost ([127.0.0.1]:57955 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pUlEk-0007k9-5C for submit@debbugs.gnu.org; Wed, 22 Feb 2023 04:16:30 -0500 Received: from eggs.gnu.org ([209.51.188.92]:50982) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pUlEh-0007jv-3s for 61363@debbugs.gnu.org; Wed, 22 Feb 2023 04:16:29 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUlEb-0004rr-H0; Wed, 22 Feb 2023 04:16:21 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=tQ0D4ojXhWGmIlecBqN6ZOKnGeejzQ+ekk7iCRmDpRs=; b=ppJADP/UqUfMKCvtJY/N ofBM9eC+F7jgefGzu77zJ1K864V3ymxPaHN9Sh2+RZqtHH7ULOnYJijQNhmL5bAkCzkKNNWRhNHwA mpeIeVOCtlfTtoSPHmLBS9z7S+aUMpj+Ni3OlMObunnKvUpgAFZ22UuyYmhc7bMAvIq8ORi3K51Kg vkp65luxa+Qk9Oir95+166nO+qClMZgOV4R8TkC9/ui3ZHJ1Lum0dNrpQ8XeFKkHQMJiYhoB53VF4 8vqeHdRBopwsTWHAuvzHh6ufJRyDDDnAyQ8otc4EVHgIJtiYqoAxWhaWzXSKv8YIaKeD5VYhULXFC b+Ps9k/+DbE2IA==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201] helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUlEW-0006gx-AX; Wed, 22 Feb 2023 04:16:21 -0500 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Christopher Baines Subject: Re: [bug#61363] [PATCH 2/2] self: Apply grafts to the outputs of the guix derivation. References: <20230208075403.11788-1-mail@cbaines.net> <20230208075403.11788-2-mail@cbaines.net> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Quartidi 4 =?utf-8?Q?Vent=C3=B4se?= an 231 de la =?utf-8?Q?R=C3=A9volution=2C?= jour du =?utf-8?Q?Tro=C3=A8ne?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Wed, 22 Feb 2023 10:16:14 +0100 In-Reply-To: <20230208075403.11788-2-mail@cbaines.net> (Christopher Baines's message of "Wed, 8 Feb 2023 08:54:03 +0100") Message-ID: <87sfey9i1t.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 61363 Cc: 61363@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Christopher Baines skribis: > Rather than having grafts apply to the derivation itself. This moves graf= ting > here to work like grafting for packages, where you can think of the graft= ed > outputs as a transformed variant of the ungrafted outputs. Hmm. > I'm looking at this as it'll allow the Guix Data Service to compute the > derivations without grafts, and for these to be useful for substitutes > regardless of whether users are using grafts. How does it help exactly? By disabling grafts in that context? > +++ b/guix/self.scm > @@ -752,7 +752,8 @@ (define* (compiled-guix source #:key > (gzip (specification->package "gzip")) > (bzip2 (specification->package "bzip2")) > (xz (specification->package "xz")) > - (guix (specification->package "guix"))) > + (guix (specification->package "guix")) > + (graft? #t)) > "Return a file-like object that contains a compiled Guix." > (define guile-avahi > (specification->package "guile-avahi")) > @@ -802,6 +803,12 @@ (define dependencies > guile-json guile-semver guile-ssh guile-sqlite3 > guile-lib guile-zlib guile-lzlib guile-zstd))) >=20=20 > + (define packages > + (cons* gzip > + bzip2 > + xz > + dependencies)) > + [...] > + (let ((obj (built-modules (lambda (node) > + (list (node-source node) > + (node-compiled node)))))) > + (if graft? > + (explicit-grafting obj packages) > + obj))) There are two things I=E2=80=99m not comfortable with: 1. Having in (guix packages); it looks misplaced. 2. More importantly, manually listing packages that might require grafting looks like a slippery slope (=E2=80=9Coops! we=E2=80=99re not= getting the GnuTLS graft for that CVE, too bad=E2=80=9D). I designed and implemented several variants to try and delay grafting. One of them consisted in carrying graft information in gexps: https://git.savannah.gnu.org/cgit/guix.git/log?h=3Dwip-gexp-grafts It=E2=80=99s kinda similar to what you=E2=80=99re proposing in that graft i= nformation is carried as far as possible. The main difference is that it=E2=80=99s autom= ated. Hmm needs more thought. Ludo=E2=80=99.