Re: Are gzip-compressed substitutes still used?

Hi Vagrant, On Wed, 17 Mar 2021 at 11:08, Vagrant Cascadian wrote: > ... and I would expect this version to ship in Debian for another ~3-5 > years, unless it gets removed from Debian bullseye before the upcoming > (real soon now) release! I could miss a point. In 3-5 years, some people will b

Re: Why [bug#47081] Remove mongodb?

On Wed, 17 Mar 2021 at 20:11, Léo Le Bouter wrote: > On Wed, 2021-03-17 at 19:51 +0100, zimoun wrote: >> It shows exactly my point. The correct and polite way of doing the >> thing is first to examine the issue at hand (3.4.10 is old with >> security >> vulnerabilities), then propose a fix (e.g.,

Re: Why [bug#47081] Remove mongodb?

On Wed, 2021-03-17 at 19:51 +0100, zimoun wrote: > It shows exactly my point. The correct and polite way of doing the > thing is first to examine the issue at hand (3.4.10 is old with > security > vulnerabilities), then propose a fix (e.g., the removal), wait > feedback, > and complete. Actually

Re: armhf-linux substitutes

Hi, On Wed, 17 Mar 2021 at 18:28, Ludovic Courtès wrote: > Mathieu, what’s preventing us from doing armhf-linux builds again? We > could use the OverDrives for that (with an upper bound though), along > with the SBCs in machines-for-berlin.scm. We should start to build ASAP… > That won’t be e

Re: Why [bug#47081] Remove mongodb?

The issue with 3.4.24 / 3.4.10 is that Efraim reverted the commit then it was briefly discussed on IRC and Efraim thought I was right about the licensing being fine on 3.4.24 and reverted their revert commit, after some actual checking in the tarball grepping for license headers I found out I was w

Re: Why [bug#47081] Remove mongodb?

On Wed, 17 Mar 2021 at 19:16, Léo Le Bouter wrote: > On Wed, 2021-03-17 at 18:56 +0100, zimoun wrote: >> AFAIT, 3.4.10 is released under GNU AGPL 3.0 and Apache 2.0. This >> version had been released before the October 16th, 2018. Could you >> point which code is non-free? >> >> IMHO, this clai

Re: Finding the store path of a package

Hi Konrad, On Wed, 17 Mar 2021 at 18:55, Konrad Hinsen wrote: > I wonder if there is a straightforward way to find the store path > corresponding to a package, assuming that the package actually is in the > store. I don't care if it's done via the CLI or via Guile code. does “guix build -n” fi

Re: Rust and parametric packages

On Wed, 2021-03-17 at 18:30 +0100, raingloom wrote: > I'm re-reading the threads about Rust packaging and I realized there > might be a solution to the build artifact reuse problem. > > As I understand it, the problem is that crates can be compiled with > any > number of features enabled or disabl

Re: Are gzip-compressed substitutes still used?

On 17.03.21 18:12, Ludovic Courtès wrote: (See for the initial message.) Here’s an update, 1.5 month later. This time I’m looking at nginx logs covering Feb 8th to Mar 17th and using a laxer regexp than in the message above,

Re: Why [bug#47081] Remove mongodb?

On Wed, 2021-03-17 at 18:56 +0100, zimoun wrote: > AFAIT, 3.4.10 is released under GNU AGPL 3.0 and Apache 2.0. This > version had been released before the October 16th, 2018. Could you > point which code is non-free? > > IMHO, this claim about non-free code is wrong. The last versions > with >

Re: Are gzip-compressed substitutes still used?

Hi, On Wed, 17 Mar 2021 at 18:12, Ludovic Courtès wrote: > I’d still like to start providing zstd-compressed substitutes though. > So I think what we can do is: > > • start providing zstd substitutes on berlin right now so that when > 1.2.1 comes out, at least some substitutes are availabl

Re: Why [bug#47081] Remove mongodb?

On Wed, 17 Mar 2021 at 18:09, Léo Le Bouter wrote: > On Wed, 2021-03-17 at 17:56 +0100, zimoun wrote: >> If the removal for security reasons had been discussed on IRC, it >> could >> be nice to point the discussion here. Otherwise, open a discussion >> on >> the topic on guix-devel or bug-guix.

Re: Fedora/Debian release monitoring inspiration for Guix Data Service

On Wed, 2021-03-17 at 18:35 +0100, Ludovic Courtès wrote: > Established distros have great tools and services for that. > > Guix has ‘guix refresh’, which predates some of the trendy > release/CVE > monitoring services and actually works well. It’s not perfect, but > it’s > good, so my advice wou

Re: Are gzip-compressed substitutes still used?

On 2021-03-17, Léo Le Bouter wrote: > Just as a reminder siding with vagrantc here: > > We must ensure the Debian 'guix' package can still work and upgrade > from it's installed version, so ensure that removing gzip doesnt break > initial 'guix pull' with it. ... and I would expect this version to

Re: Fedora/Debian release monitoring inspiration for Guix Data Service

Hi, Léo Le Bouter skribis: > It seems Fedora has automated infrastructure and feeds to monitor new > upstream releases so that maintainers can get notifications on them. > > https://release-monitoring.org/ Established distros have great tools and services for that. Guix has ‘guix refresh’, whi

Rust and parametric packages

I'm re-reading the threads about Rust packaging and I realized there might be a solution to the build artifact reuse problem. As I understand it, the problem is that crates can be compiled with any number of features enabled or disabled. If this and the compiler version are truly the only variable

Finding the store path of a package

Dear Guix experts, I wonder if there is a straightforward way to find the store path corresponding to a package, assuming that the package actually is in the store. I don't care if it's done via the CLI or via Guile code. Use case: Looking at the files inside a package. What I do now is "ls /gnu/

Re: [bootstrappable] Re: Can Guile be bootstrapped from source without psyntax-pp.scm?

Hi Michael, Michael Schierl skribis: > Am 15.03.2021 um 18:09 schrieb Ludovic Courtès: >> Woow, this is great news! I think it would be great towards importing >> it in Guile proper. >> >> To do that, I think we should first get Andy’s opinion on the approach. > > I don't think upstream is very

Re: Why [bug#47081] Remove mongodb?

Sorry for duplicated email, On Wed, 2021-03-17 at 17:56 +0100, zimoun wrote: > If the removal for security reasons had been discussed on IRC, it > could > be nice to point the discussion here. Otherwise, open a discussion > on > the topic on guix-devel or bug-guix. The full removal is a radical

Re: [bug#47163] Using package transformations declaratively

Hi, zimoun skribis: > There is several ways to have package transformations at the manifest > level. One is: > > (use-modules (guix transformations)) > > (define transform1 > (options->transformation > '((with-c-toolchain . "hello=gcc-toolchain@8" > > (packages->manifest > (list (tr

Re: Why [bug#47081] Remove mongodb?

On Wed, 2021-03-17 at 17:56 +0100, zimoun wrote: > If the removal for security reasons had been discussed on IRC, it > could > be nice to point the discussion here. Otherwise, open a discussion > on > the topic on guix-devel or bug-guix. The full removal is a radical > solution (especially, it sh

Re: Are gzip-compressed substitutes still used?

Just as a reminder siding with vagrantc here: We must ensure the Debian 'guix' package can still work and upgrade from it's installed version, so ensure that removing gzip doesnt break initial 'guix pull' with it. signature.asc Description: This is a digitally signed message part

Why [bug#47081] Remove mongodb?

Hi Léo, On Fri, 12 Mar 2021 at 01:56, Léo Le Bouter wrote: > mongodb 3.4.10 has unpatched CVEs and mongodb 3.4.24 has some files in the > release tarball under the SSPL, therefore we cannot provide mongodb while > upholding to good security standards. [...] > doc/guix.texi | 28

armhf-linux substitutes

Hi, Leo Famulari skribis: > On Mon, Mar 15, 2021 at 05:55:21PM +0100, Ludovic Courtès wrote: >> > The architecture armf will not be included. >> >> Wait wait, I missed that. What happened? I think we should include it, >> even if substitute availability remains low. > > I had asked about the

Re: Are gzip-compressed substitutes still used?

Hi, Ludovic Courtès skribis: > From that, we could deduce that about 1% of our users who take > substitutes from ci.guix are still using a pre-1.1.0 daemon without > support for lzip compression. > > I find it surprisingly low: 1.1.0 was released “only” 9 months ago, > which is not a lot for som

Re: Security-czar needed? WAS: Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?

Hi, On Wed, 17 Mar 2021 at 07:24, Léo Le Bouter wrote: > I think we can handle this without granting us any special powers, I > like it that we don't have roles actually! > > We can discuss, debate, agree to common goals, I don't think we are > going to enter into conflict, we hear each other, w

Guix moving too fast?

Hi, Thanks Mark for your words. Interestingly, using the angle of scientific software, I agree with your general analysis. On Tue, 16 Mar 2021 at 19:49, Leo Famulari wrote: > On Tue, Mar 16, 2021 at 07:19:59PM -0400, Mark H Weaver wrote: >> Ultimately, I gave up. In my opinion, Guix has neve

Re: Fedora/Debian release monitoring inspiration for Guix Data Service

On Tue, 2021-03-16 at 23:28 +, Christopher Baines wrote: > I did spot these patches > https://patches.guix-patches.cbaines.net/project/guix-patches/list/?series=7298 Awesome!! I did not see them earlier! > I think the Guix Data Service could run the "refresh" code from Guix > and > store rele