Add support for other formats of Guix channels

  • Done
  • quality assurance status badge
Details
4 participants
  • EuAndreh
  • Leo Famulari
  • Ludovic Courtès
  • zimoun
Owner
unassigned
Submitted by
EuAndreh
Severity
normal

Debbugs page

E
E
EuAndreh wrote on 15 Sep 2021 10:30
(address . bug-guix@gnu.org)
163172701717.1270740.9988334410334115700@localhost
As I've described in [0], one can't have a Guix channel served over Git's
"Dumb HTTP" protocol. That is caused by libgit's inability to do so [1].

Guix channel authors may want to serve channels:
- via "Dumb HTTP" Git repositories;
- via other DVCS like Mercurial, Fossil, BitKeeper;
- decoupled from the backing versioning tool.

My initial though is that making Guix knowing how to handle channels served as
tarballs would suffice, and cover all of the above. Those channels wouldn't
have the exact same caching and authentication characteristics as channels
served via Git repositories, but that seems OK.

WDYT?

L
L
Ludovic Courtès wrote on 16 Sep 2021 01:17
(name . EuAndreh)(address . eu@euandre.org)(address . 50606@debbugs.gnu.org)
87ee9p2aub.fsf@gnu.org
Hi,

EuAndreh <eu@euandre.org> skribis:

Toggle quote (15 lines)
> As I've described in [0], one can't have a Guix channel served over Git's
> "Dumb HTTP" protocol. That is caused by libgit's inability to do so [1].
>
> Guix channel authors may want to serve channels:
> - via "Dumb HTTP" Git repositories;
> - via other DVCS like Mercurial, Fossil, BitKeeper;
> - decoupled from the backing versioning tool.
>
> My initial though is that making Guix knowing how to handle channels served as
> tarballs would suffice, and cover all of the above. Those channels wouldn't
> have the exact same caching and authentication characteristics as channels
> served via Git repositories, but that seems OK.
>
> WDYT?

Channel authentication and downgrade prevention are very much linked to
Git, though they could work with any append-only kind of DVCS.

Now, the implementation is (purposefully) very much Git-only; the format
of channel specs is somewhat Git-only as well. I understand it can be
frustrating users of other VCSes, but from a maintenance viewpoint,
supporting a single VCS greatly simplifies things. I also think it’s
beneficial from a user interface standpoint because it allows us to
provide tighter integration than if there was a high-level abstraction
layer.

All in all, I’m not in favor of supporting other version control tools
for channels.

Supporting the “dump HTTP” Git transport would be nice, but as you
write, it’s more of a feature request for libgit2.

Thanks,
Ludo’.
Z
Z
zimoun wrote on 16 Sep 2021 04:18
(name . Ludovic Courtès)(address . ludo@gnu.org)
CAJ3okZ2sM6is-dp0A8+9M+QN=QJDO35km_MrWHhto8XdCu0NuA@mail.gmail.com
Hi,

On Thu, 16 Sept 2021 at 10:18, Ludovic Courtès <ludo@gnu.org> wrote:
Toggle quote (4 lines)
> EuAndreh <eu@euandre.org> skribis:

> > Guix channel authors may want to serve channels:

[...]

Toggle quote (3 lines)
> > - via other DVCS like Mercurial, Fossil, BitKeeper;
> > - decoupled from the backing versioning tool.

[...]

Toggle quote (3 lines)
> All in all, I’m not in favor of supporting other version control tools
> for channels.

Adding more all to "all in all". :-)

Support other VCS would mean a lot of work: refactor "pull" and then
break several CLIs (pull, time-machine, describe) -- without speaking
about "guix git" subcommand. I do not know if all the Git concepts
currently used by Guix translate well to other VCS. Moreover the
transparent recent fallback to SWH for channels would also needs piece
of work -- it is not straightforward to fetch back content from
metadata at hand; it is currently only done for Git source and the
others VCS are still WIP, i.e., they do not work out-of-the-box.
Well, from a pragmatic point of view, I am not convinced that such
effort is worth considering the popularity of Git vs other-VCS.

All the best,
simon
E
E
EuAndreh wrote on 16 Sep 2021 10:41
(address . 50606@debbugs.gnu.org)
163181407045.1503137.63518666550594558@localhost
I agree with most points, but I'm not proposing creating integrations with other
DVCS, en par with the current Git integration.

My proposal was a little more crude: get the channel code from a tarball. In
this model there are no authentications with fingerprint or signed commits,
neither "guix pull" would know much about the before/after state of a channel
besides comparing the checksum of the whole tarball.

This lower level abstraction is much less sofisticated, and would probably mean
refetching and rebuilding from tarball-backed channels than Git channels. But
this also means that the requirement is lower, and much more universal: a
tarball file served over HTTP, compared to a specific Git HTTP protocol.
E
E
EuAndreh wrote on 16 Sep 2021 10:48
(address . 50606@debbugs.gnu.org)
163181448971.1503137.13820761374830683288@localhost
In this model, downgrade prevention would a) be inexistant or b) require work
from the upstream tarball provider, to produce tarballs with metadata files that
could provide such data.

Authentication could be done by relying on TLS, or requiring a signature file.
E
E
EuAndreh wrote on 16 Sep 2021 10:51
(address . 50606@debbugs.gnu.org)
163181467227.1503137.16169534887628959834@localhost
I'm very much in favor of keeping the current channel implementation leveraging
aspects specific to Git, and I also don't think that adding any other DVCS is
worth it.
L
L
Ludovic Courtès wrote on 16 Sep 2021 13:21
(name . EuAndreh)(address . eu@euandre.org)
878rzwz2y3.fsf@gnu.org
EuAndreh <eu@euandre.org> skribis:

Toggle quote (10 lines)
> My proposal was a little more crude: get the channel code from a tarball. In
> this model there are no authentications with fingerprint or signed commits,
> neither "guix pull" would know much about the before/after state of a channel
> besides comparing the checksum of the whole tarball.
>
> This lower level abstraction is much less sofisticated, and would probably mean
> refetching and rebuilding from tarball-backed channels than Git channels. But
> this also means that the requirement is lower, and much more universal: a
> tarball file served over HTTP, compared to a specific Git HTTP protocol.

Note that we already have -L and GUIX_PACKAGE_PATH as an alternative to
full-blown channels. I’d recommend using that when in need of a
lightweight alternative. How does that sound?

Thanks,
Ludo’.
L
L
Leo Famulari wrote on 16 Sep 2021 16:44
(name . EuAndreh via Bug reports for GNU Guix)(address . bug-guix@gnu.org)
YUPWw0LWykoOPJ86@jasmine.lan
On Thu, Sep 16, 2021 at 02:41:10PM -0300, EuAndreh via Bug reports for GNU Guix wrote:
Toggle quote (5 lines)
> My proposal was a little more crude: get the channel code from a tarball. In
> this model there are no authentications with fingerprint or signed commits,
> neither "guix pull" would know much about the before/after state of a channel
> besides comparing the checksum of the whole tarball.

For this use case, where you don't require many of the `guix pull`
features, you could use GUIX_PACKAGE_PATH instead:

Z
Z
zimoun wrote on 17 Sep 2021 01:16
(name . EuAndreh)(address . eu@euandre.org)
CAJ3okZ01Jh5Ot9+qttS_OAx-tMD7muRi-tqEnzzjTUSxRZCe7Q@mail.gmail.com
Hi,

On Thu, 16 Sept 2021 at 19:41, EuAndreh <eu@euandre.org> wrote:

Toggle quote (5 lines)
> My proposal was a little more crude: get the channel code from a tarball. In
> this model there are no authentications with fingerprint or signed commits,
> neither "guix pull" would know much about the before/after state of a channel
> besides comparing the checksum of the whole tarball.

Somehow, IIUC your explanations, you would like to be able to set an
'origin' as channel source. Something like that:

Toggle snippet (13 lines)
(cons*
(origin
(method url-fetch)
(uri "https://example.org/archive.tar.gz")
(sha256
(base32
"0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i")))
(channel
(name 'extra)
(url "https://example.org/extra.git"))
%default-channels)

Therefore, it would be possible to have any VCS already supported.

However, it is fixed and update means change at least the checksum to
the channels.scm file.

Well, I do not know if it is more convenient than what Ludo and Leo
suggested. :-)


Cheers,
simon
E
E
EuAndreh wrote on 17 Sep 2021 03:41
(name . Ludovic Courtès)(address . ludo@gnu.org)
163187528655.1642483.16028637497147388402@localhost
This is a reasonable compromise. It is less self-contained than a single
channel file definition, and requires me or the consumer a bit more upfront
setup, but I'm OK with that.
E
E
EuAndreh wrote on 17 Sep 2021 03:44
(name . zimoun)(address . zimon.toutoune@gmail.com)
163187544719.1642483.2726968864829579164@localhost
Having a checksum would at least be more declarative and self-contained, but
not as convenient. A variation of this idea is to not have the checksum, and
allow the tarball to be changing over time, like a tarball representing a branch
on a repository that gets commits over time.
E
E
EuAndreh wrote on 17 Sep 2021 03:46
(name . Ludovic Courtès)(address . ludo@gnu.org)
163187560586.1673476.8471074501690670822@localhost
Shall we close this bug?
Z
Z
zimoun wrote on 17 Sep 2021 10:00
(name . EuAndreh)(address . eu@euandre.org)
CAJ3okZ2GXbDBj+EupnP4X-6dbjErjH_=Zau9Tq1HbPJc_OECSA@mail.gmail.com
Hi,

On Fri, 17 Sept 2021 at 12:47, EuAndreh <eu@euandre.org> wrote:
Toggle quote (3 lines)
>
> Shall we close this bug?

I think this wish,

Guix channel authors may want to serve channels:
- via "Dumb HTTP" Git repositories;

still makes sense.

Cheers,
simon
L
L
Ludovic Courtès wrote on 18 Sep 2021 03:07
control message for bug #50606
(address . control@debbugs.gnu.org)
871r5murgu.fsf@gnu.org
tags 50606 wontfix
close 50606
quit
L
L
Ludovic Courtès wrote on 18 Sep 2021 03:08
Re: bug#50606: Add support for other formats of Guix channels
(name . zimoun)(address . zimon.toutoune@gmail.com)
87wnnetcvu.fsf@gnu.org
Hi,

zimoun <zimon.toutoune@gmail.com> skribis:

Toggle quote (6 lines)
> On Fri, 17 Sept 2021 at 12:47, EuAndreh <eu@euandre.org> wrote:
>>
>> Shall we close this bug?
>
> I think this wish,

Done!

Toggle quote (5 lines)
> Guix channel authors may want to serve channels:
> - via "Dumb HTTP" Git repositories;
>
> still makes sense.

Yes.

Ludo’.
?
Your comment

This issue is archived.

To comment on this conversation send an email to 50606@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 50606
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch