Re: Fedora/Debian release monitoring inspiration for Guix Data Service

On Tue, 2021-03-16 at 23:28 +, Christopher Baines wrote: > I did spot these patches > https://patches.guix-patches.cbaines.net/project/guix-patches/list/?series=7298 Awesome!! I did not see them earlier! > I think the Guix Data Service could run the "refresh" code from Guix > and > store rele

Guix moving too fast?

Hi, Thanks Mark for your words. Interestingly, using the angle of scientific software, I agree with your general analysis. On Tue, 16 Mar 2021 at 19:49, Leo Famulari wrote: > On Tue, Mar 16, 2021 at 07:19:59PM -0400, Mark H Weaver wrote: >> Ultimately, I gave up. In my opinion, Guix has neve

Re: Security-czar needed? WAS: Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?

Hi, On Wed, 17 Mar 2021 at 07:24, Léo Le Bouter wrote: > I think we can handle this without granting us any special powers, I > like it that we don't have roles actually! > > We can discuss, debate, agree to common goals, I don't think we are > going to enter into conflict, we hear each other, w

Re: Are gzip-compressed substitutes still used?

Hi, Ludovic Courtès skribis: > From that, we could deduce that about 1% of our users who take > substitutes from ci.guix are still using a pre-1.1.0 daemon without > support for lzip compression. > > I find it surprisingly low: 1.1.0 was released “only” 9 months ago, > which is not a lot for som

armhf-linux substitutes

Hi, Leo Famulari skribis: > On Mon, Mar 15, 2021 at 05:55:21PM +0100, Ludovic Courtès wrote: >> > The architecture armf will not be included. >> >> Wait wait, I missed that. What happened? I think we should include it, >> even if substitute availability remains low. > > I had asked about the

Why [bug#47081] Remove mongodb?

Hi Léo, On Fri, 12 Mar 2021 at 01:56, Léo Le Bouter wrote: > mongodb 3.4.10 has unpatched CVEs and mongodb 3.4.24 has some files in the > release tarball under the SSPL, therefore we cannot provide mongodb while > upholding to good security standards. [...] > doc/guix.texi | 28

Re: Are gzip-compressed substitutes still used?

Just as a reminder siding with vagrantc here: We must ensure the Debian 'guix' package can still work and upgrade from it's installed version, so ensure that removing gzip doesnt break initial 'guix pull' with it. signature.asc Description: This is a digitally signed message part

Re: Why [bug#47081] Remove mongodb?

On Wed, 2021-03-17 at 17:56 +0100, zimoun wrote: > If the removal for security reasons had been discussed on IRC, it > could > be nice to point the discussion here. Otherwise, open a discussion > on > the topic on guix-devel or bug-guix. The full removal is a radical > solution (especially, it sh

Re: [bug#47163] Using package transformations declaratively

Hi, zimoun skribis: > There is several ways to have package transformations at the manifest > level. One is: > > (use-modules (guix transformations)) > > (define transform1 > (options->transformation > '((with-c-toolchain . "hello=gcc-toolchain@8" > > (packages->manifest > (list (tr

Re: Why [bug#47081] Remove mongodb?

Sorry for duplicated email, On Wed, 2021-03-17 at 17:56 +0100, zimoun wrote: > If the removal for security reasons had been discussed on IRC, it > could > be nice to point the discussion here. Otherwise, open a discussion > on > the topic on guix-devel or bug-guix. The full removal is a radical

Re: [bootstrappable] Re: Can Guile be bootstrapped from source without psyntax-pp.scm?

Hi Michael, Michael Schierl skribis: > Am 15.03.2021 um 18:09 schrieb Ludovic Courtès: >> Woow, this is great news! I think it would be great towards importing >> it in Guile proper. >> >> To do that, I think we should first get Andy’s opinion on the approach. > > I don't think upstream is very

Finding the store path of a package

Dear Guix experts, I wonder if there is a straightforward way to find the store path corresponding to a package, assuming that the package actually is in the store. I don't care if it's done via the CLI or via Guile code. Use case: Looking at the files inside a package. What I do now is "ls /gnu/

Rust and parametric packages

I'm re-reading the threads about Rust packaging and I realized there might be a solution to the build artifact reuse problem. As I understand it, the problem is that crates can be compiled with any number of features enabled or disabled. If this and the compiler version are truly the only variable

Re: Fedora/Debian release monitoring inspiration for Guix Data Service

Hi, Léo Le Bouter skribis: > It seems Fedora has automated infrastructure and feeds to monitor new > upstream releases so that maintainers can get notifications on them. > > https://release-monitoring.org/ Established distros have great tools and services for that. Guix has ‘guix refresh’, whi

Re: Are gzip-compressed substitutes still used?

On 2021-03-17, Léo Le Bouter wrote: > Just as a reminder siding with vagrantc here: > > We must ensure the Debian 'guix' package can still work and upgrade > from it's installed version, so ensure that removing gzip doesnt break > initial 'guix pull' with it. ... and I would expect this version to

Re: Fedora/Debian release monitoring inspiration for Guix Data Service

On Wed, 2021-03-17 at 18:35 +0100, Ludovic Courtès wrote: > Established distros have great tools and services for that. > > Guix has ‘guix refresh’, which predates some of the trendy > release/CVE > monitoring services and actually works well. It’s not perfect, but > it’s > good, so my advice wou

Re: Why [bug#47081] Remove mongodb?

On Wed, 17 Mar 2021 at 18:09, Léo Le Bouter wrote: > On Wed, 2021-03-17 at 17:56 +0100, zimoun wrote: >> If the removal for security reasons had been discussed on IRC, it >> could >> be nice to point the discussion here. Otherwise, open a discussion >> on >> the topic on guix-devel or bug-guix.

Re: Are gzip-compressed substitutes still used?

Hi, On Wed, 17 Mar 2021 at 18:12, Ludovic Courtès wrote: > I’d still like to start providing zstd-compressed substitutes though. > So I think what we can do is: > > • start providing zstd substitutes on berlin right now so that when > 1.2.1 comes out, at least some substitutes are availabl

Re: Why [bug#47081] Remove mongodb?

On Wed, 2021-03-17 at 18:56 +0100, zimoun wrote: > AFAIT, 3.4.10 is released under GNU AGPL 3.0 and Apache 2.0. This > version had been released before the October 16th, 2018. Could you > point which code is non-free? > > IMHO, this claim about non-free code is wrong. The last versions > with >

Re: Are gzip-compressed substitutes still used?

On 17.03.21 18:12, Ludovic Courtès wrote: (See for the initial message.) Here’s an update, 1.5 month later. This time I’m looking at nginx logs covering Feb 8th to Mar 17th and using a laxer regexp than in the message above,

Re: Rust and parametric packages

On Wed, 2021-03-17 at 18:30 +0100, raingloom wrote: > I'm re-reading the threads about Rust packaging and I realized there > might be a solution to the build artifact reuse problem. > > As I understand it, the problem is that crates can be compiled with > any > number of features enabled or disabl

Re: Finding the store path of a package

Hi Konrad, On Wed, 17 Mar 2021 at 18:55, Konrad Hinsen wrote: > I wonder if there is a straightforward way to find the store path > corresponding to a package, assuming that the package actually is in the > store. I don't care if it's done via the CLI or via Guile code. does “guix build -n” fi

Re: Why [bug#47081] Remove mongodb?

On Wed, 17 Mar 2021 at 19:16, Léo Le Bouter wrote: > On Wed, 2021-03-17 at 18:56 +0100, zimoun wrote: >> AFAIT, 3.4.10 is released under GNU AGPL 3.0 and Apache 2.0. This >> version had been released before the October 16th, 2018. Could you >> point which code is non-free? >> >> IMHO, this clai

Re: Why [bug#47081] Remove mongodb?

The issue with 3.4.24 / 3.4.10 is that Efraim reverted the commit then it was briefly discussed on IRC and Efraim thought I was right about the licensing being fine on 3.4.24 and reverted their revert commit, after some actual checking in the tarball grepping for license headers I found out I was w

Re: armhf-linux substitutes

Hi, On Wed, 17 Mar 2021 at 18:28, Ludovic Courtès wrote: > Mathieu, what’s preventing us from doing armhf-linux builds again? We > could use the OverDrives for that (with an upper bound though), along > with the SBCs in machines-for-berlin.scm. We should start to build ASAP… > That won’t be e

Re: Why [bug#47081] Remove mongodb?

On Wed, 2021-03-17 at 19:51 +0100, zimoun wrote: > It shows exactly my point. The correct and polite way of doing the > thing is first to examine the issue at hand (3.4.10 is old with > security > vulnerabilities), then propose a fix (e.g., the removal), wait > feedback, > and complete. Actually

Re: Why [bug#47081] Remove mongodb?

On Wed, 17 Mar 2021 at 20:11, Léo Le Bouter wrote: > On Wed, 2021-03-17 at 19:51 +0100, zimoun wrote: >> It shows exactly my point. The correct and polite way of doing the >> thing is first to examine the issue at hand (3.4.10 is old with >> security >> vulnerabilities), then propose a fix (e.g.,

Re: Are gzip-compressed substitutes still used?

Hi Vagrant, On Wed, 17 Mar 2021 at 11:08, Vagrant Cascadian wrote: > ... and I would expect this version to ship in Debian for another ~3-5 > years, unless it gets removed from Debian bullseye before the upcoming > (real soon now) release! I could miss a point. In 3-5 years, some people will b