Package: emacs;
Reported by: Joseph Turner <joseph <at> breatheoutbreathe.in>
Date: Sat, 6 May 2023 20:53:02 UTC
Severity: normal
Tags: patch
Done: Philip Kaludercic <philipk <at> posteo.net>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: Philip Kaludercic <philipk <at> posteo.net> To: Joseph Turner <joseph <at> breatheoutbreathe.in> Cc: 63336 <at> debbugs.gnu.org Subject: bug#63336: [PATCH] package-vc: Process :make and :shell-command spec args Date: Mon, 15 May 2023 09:12:26 +0000
Joseph Turner <joseph <at> breatheoutbreathe.in> writes:
> Philip Kaludercic <philipk <at> posteo.net> writes:
>
>> Joseph Turner <joseph <at> breatheoutbreathe.in> writes:
>>
>>> Philip Kaludercic <philipk <at> posteo.net> writes:
>>>
>>>> Joseph Turner <joseph <at> breatheoutbreathe.in> writes:
>>>>
>>>>> Philip Kaludercic <philipk <at> posteo.net> writes:
>>>>>
>>>>>> Joseph Turner <joseph <at> breatheoutbreathe.in> writes:
>
>>> We also might want to add another option for
>>> package-vc-allow-side-effects like 'user-defined, which only runs :make
>>> and :shell-command args which were specified by the user (as opposed to
>>> those which were downloaded from elpa). WDYT?
>>
>> That sounds like a good idea, but let us do that in a separate patch.
>
> Okay!
>
>>> To update the manual, shall I edit doc/emacs/package.texi directly or is
>>> there another file to edit?
>>
>> Yes, just update the table under the "Specifying Package Sources" subsection.
>
> See patch.
>
>>>> If :shell-command fails, do we really want to proceed to :make?
>>>
>>> Up to you! I was following the lead of elpa-admin.el.
>>
>> In that case let us do that too, unless there is a good reason not to.
>
> +1
>
>>> I switched the first two cases. I think pcase is readable here,
>>> especially if we add an 'user-defined option. What would you use
>>> instead?
>>
>> I would have just used a regular cond.
>>
>> --8<---------------cut here---------------start------------->8---
>> (cond
>> ((null package-vc-process-make)
>> ...)
>> ((listp package-vc-process-make)
>> ...)
>> (...))
>> --8<---------------cut here---------------end--------------->8---
>>
>> But this doesn't matter, do what you prefer.
>
> Thank you! I like pcase here.
>
>>> +Be careful when changing this option as processing :make and
>>> +:shell-command will run potentially harmful code.
>>
>> Sounds scary. I guess that is the point, but what do you think about
>> something like
>>
>> Be careful when changing this option, as installing and updating a
>> package can potentially run harmful code. If possible, allow packages
>> you trust to run code, if it is necessary for a package to be properly
>> initialised.
>
> Thank you! What do you think about the version in the attached patch?
>
>>> +When set to a list of symbols (packages), run commands for only
>>> +packages in the list. When `nil', never run commands. Otherwise
>>> +when non-`nil', run commands for any package with :make or
>>> +:shell-command specified.
>>
>> Watch out. According to (elisp) Documentation Tips, nil is not quoted.
>
> Good to know! Fixed.
>
> From 812e32ea6c3f7b2d71174658db0e272b0b4fb84b Mon Sep 17 00:00:00 2001
> From: Joseph Turner <joseph <at> breatheoutbreathe.in>
> Date: Sat, 13 May 2023 10:05:04 -0700
> Subject: [PATCH] package-vc: Process :make and :shell-command spec args
>
> ---
> doc/emacs/package.texi | 9 ++++++++
> lisp/emacs-lisp/package-vc.el | 42 +++++++++++++++++++++++++++++++++++
> 2 files changed, 51 insertions(+)
>
> diff --git a/doc/emacs/package.texi b/doc/emacs/package.texi
> index 6722185cb20..4f606b22e54 100644
> --- a/doc/emacs/package.texi
> +++ b/doc/emacs/package.texi
> @@ -682,6 +682,15 @@ A string providing the repository-relative name of the documentation
> file from which to build an Info file. This can be a Texinfo file or
> an Org file.
>
> +@item :make
> +A string or list of strings providing the target or targets defined in
> +the repository Makefile which should run before building the Info
> +file. Only takes effect when package-vc-allow-side-effects is non-nil.
A @var is missing here
> +
> +@item :shell-command
> +A string providing the shell command to run before building the Info
> +file. Only takes effect when package-vc-allow-side-effects is non-nil.
and here. I can take care of that.
> +
> @item :vc-backend
> A symbol naming the VC backend to use for downloading a copy of the
> package's repository (@pxref{Version Control Systems,,,emacs, The GNU
> diff --git a/lisp/emacs-lisp/package-vc.el b/lisp/emacs-lisp/package-vc.el
> index beca0bd00e2..d2f6d287224 100644
> --- a/lisp/emacs-lisp/package-vc.el
> +++ b/lisp/emacs-lisp/package-vc.el
> @@ -344,6 +344,38 @@ asynchronously."
> "\n")
> nil pkg-file nil 'silent))))
>
> +(defcustom package-vc-allow-side-effects nil
> + "Whether to process :make and :shell-command spec arguments.
> +
> +It may be necessary to run :make and :shell-command arguments in
> +order to initialize a package or build its documentation, but
> +please be careful when changing this option, as installing and
> +updating a package can run potentially harmful code.
> +
> +When set to a list of symbols (packages), run commands for only
> +packages in the list. When nil, never run commands. Otherwise
> +when non-nil, run commands for any package with :make or
> +:shell-command specified.
> +
> +Package specs are loaded from trusted package archives."
> + :type '(choice (const :tag "Run for all packages" t)
> + (repeat :tag "Run only for selected packages" (symbol :tag "Package name"))
> + (const :tag "Never run" nil))
> + :version "30.1")
> +
> +(defun package-vc--make (pkg-spec pkg-desc)
> + "Process :make and :shell-command PKG-SPEC arguments for PKG-DESC."
> + (let ((target (plist-get pkg-spec :make))
> + (cmd (plist-get pkg-spec :shell-command))
> + (buf (format " *package-vc make %s*" (package-desc-name pkg-desc))))
> + (when (or cmd target)
> + (with-current-buffer (get-buffer-create buf)
> + (erase-buffer)
> + (when (and cmd (/= 0 (call-process shell-file-name nil t nil shell-command-switch cmd)))
> + (warn "Failed to run %s, see buffer %S" cmd (buffer-name)))
> + (when (and target (/= 0 (apply #'call-process "make" nil t nil (if (consp target) target (list target)))))
> + (warn "Failed to make %s, see buffer %S" target (buffer-name)))))))
> +
> (declare-function org-export-to-file "ox" (backend file))
>
> (defun package-vc--build-documentation (pkg-desc file)
> @@ -486,6 +518,16 @@ documentation and marking the package as installed."
> ;; Generate package file
> (package-vc--generate-description-file pkg-desc pkg-file)
>
> + ;; Process :make and :shell-command arguments before building documentation
> + (pcase package-vc-allow-side-effects
> + ('nil ; When `nil', do nothing.
> + nil)
> + ((pred consp) ; When non-`nil' list, check if package is on the list.
> + (when (memq (package-desc-name pkg-desc) package-vc-allow-side-effects)
> + (package-vc--make pkg-spec pkg-desc)))
> + (_ ; When otherwise non-`nil', run commands.
> + (package-vc--make pkg-spec pkg-desc)))
Thinking about this again, I am still not convinced. Isn't
--8<---------------cut here---------------start------------->8---
(when (or (eq package-vc-allow-side-effects t)
(memq (package-desc-name pkg-desc)
package-vc-allow-side-effects))
(package-vc--make pkg-spec pkg-desc))
--8<---------------cut here---------------end--------------->8---
much simpler? Again, you don't have to prepare another patch, I'm just
interested in what you think.
> +
> ;; Detect a manual
> (when (executable-find "install-info")
> (dolist (doc-file (ensure-list (plist-get pkg-spec :doc)))
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.