GNU bug report logs - #39263
[PATCH 0/2] Update Godot

Previous Next

Full log

Message #20 received at 39263 <at> debbugs.gnu.org (full text, mbox):

From: Timotej Lazar <timotej.lazar <at> araneo.si>
To: Christopher Baines <mail <at> cbaines.net>
Cc: 39263 <at> debbugs.gnu.org
Subject: Re: [bug#39263] [PATCH 2/2] gnu: godot: Unbundle some dependencies.
Date: Tue, 28 Jan 2020 19:18:09 +0100

Thanks for the feedback! I am sending updated patches after this reply.

Christopher Baines <mail <at> cbaines.net> [2020-01-25 09:16:08+0000]:
> I did have a look if the package builds with the mbedtls-apache
> package, rather than using the included source code, and it looks to.
> Although I'm aware that [1] says there are modifications.

The two Godot patches for mbedtls don’t seem to be relevant to Guix, so
I replaced the bundled copy with the mbedtls-apache package. I don’t
have a use case to test this, but the minimal example from the
HTTPRequest tutorial seems to work OK with an HTTPS URI.

Christopher Baines <mail <at> cbaines.net> [2020-01-25 09:18:33+0000]:
> One thought I had here is that it would be more rigorous to have a list
> of directories that are kept, and anything not on the list is deleted.
> That way it's harder for new thirdparty dependencies to sneak in.

Makes sense. As you suggest, I flipped the logic for removing thirdparty
files: whitelist preserved files and remove everything else. The snippet
can only preserve direct children of the thirdparty/ directory, which
keeps it simple but perhaps not flexible enough in the long run.

Do we generally prefer whitelisting bundled files? Most packages I have
seen (and written) do the opposite and list the files to remove. Maybe
we could add a guideline somewhere? Or point me to the one I missed. :)

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.