GNU bug report logs -
#47670
[PATCH 0/2] Add updater for packages hosted as SourceHut Git repositories
Previous Next
Full log
View this message in rfc822 format
Hi,
Replying to an old message…
Xinglu Chen <public <at> yoctocell.xyz> skribis:
> On Sun, Jun 06 2021, Ludovic Courtès wrote:
[...]
>>> Umm, the 'upstream-source-compiler' uses 'url-fetch' to fetch the url, I
>>> guess we would have to make it support Git repositories first.
>>
>> Yes, that’s a limitation of (guix upstream) right now.
>> ‘%method-updates’ was a first step in the direction of supporting Git
>> repos.
>
> One of the problems with adding support for Git repos in (guix upstream)
> was that Libgit2 (and by extension Guile-Git) doesn’t provide an API for
> verifying tags, the I only way I know of is to run ‘git verify-tag’ in
> the shell. There is a ‘git_commit_extract_signature’ API, but it only
> for individual commits, and since the majority of people don’t sign
> their commits it means that a most of the time its not going to be able
> to verify the checkout.
The (guix git-authenticate) commit has code that retrieves the OpenPGP
signature and checks it. It can serve as inspiration.
>> Now, I agree with Léo that (1) this is not SourceHut-specific, and (2)
>> it should not download generated archives.
>>
>> Also, I’d prefer to have the code rely on Guile-Git to list tags rather
>> than invoking ‘git’, if possible.
>
> Libgit2 has a ‘git_tag_list’ API, though it doesn’t seem like Guile-Git
> supports it.
>
> https://libgit2.org/libgit2/#HEAD/group/tag/git_tag_list
Ah, we could add it.
>> Perhaps that code could leave in its own (guix import git) module or
>> similar, rather than in (guix gnu-maintenance), which already has
>> little to do with GNU maintenance at this point. :-)
>
> Yeah, I think that’s a good idea :)
Thanks,
Ludo’.
This bug report was last modified 3 years and 322 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.