‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Saturday, May 30, 2020 10:39 AM, Hartmut Goebel <h.goe...@crazy-compilers.com> wrote:
> Hi, > > was just written in another mail, I'm currently working on a > erlang/rebar build system. This includes an importer from hex.pm, a > package repository for elixir and erlang packages. (Since this is build > into rebar3 I assume it what PyPI is for Python and CPAN for Perl.) > > At hex.pm, packages are provided in a tarfile [1] wrapping the source > tar-file: > > -rw-r--r-- 0/0 1 2017-06-14 21:57 VERSION > -rw-r--r-- 0/0 64 2017-06-14 21:57 CHECKSUM > -rw-r--r-- 0/0 532 2017-06-14 21:57 metadata.config > -rw-r--r-- 0/0 4744 2017-06-14 21:57 contents.tar.gz > > IMHO it does not make sense to keep this wrapping tar-file in the store. > > So my idea is to create a "hexpm-fetch" method, which downloads the > tar-file and only stores the "content.tar.gz" in the store (using a > proper name, of course). > > How can this be done? > > [1] https://github.com/hexpm/specifications/blob/master/package_tarball.md > > Hi, Probably you're able to reach the same conclusions as I did but anyway... I took a look to guix/download.scm I think you just need to check what url-fetch/zipbomb does because the usecase is similar to what you are looking for. Hope this helps at least a little. Thanks for the work you are doing, I'm interested on it because I want to package Wings3D, so once you are done you'll probably have a tester :) Best, Ekaitz