On Tue, Mar 23, 2021 at 07:05:42PM -0400, Mark H Weaver wrote: > Also, I'm not sure why you qualify your suggestion with "in this case". > What is it that distinguishes ImageMagick from, e.g. glib, for purposes > of this question? Would it be any less bad for "guix install glib" to > install a glib with security flaws?
I forgot the reason that end-user applications should have public replacements, and why it's less important for the replacements of libraries to be public. It's about the Guix user interface, that is, `guix show` and `guix search`. `guix show gnutls` won't show a meaningful result for a gnutls/fixed replacement that cherry-picks some patches. Everything is the same about the replacement package, except some very narrow bug fixing. But `guix show imagemagick` will show the new version, available as a replacement, in its results, and users should see it in the UI. > It would be good to reach agreement on whether replacement packages > should be made public. I haven't thought much about it, so I don't know > what the relevant issues are. Based on those examples, I'd suggest that replacements that update the package's version should be public. It's been suggested before that all the package variables should be publicly exported, but using the hidden-package procedure. I don't remember the exact reason. Sorry for the unreliable communication!
