-
-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
emacswiki snippets: cleanup #328074
emacswiki snippets: cleanup #328074
Conversation
07375dd
to
aca0aec
Compare
9b26aeb
to
f697ce7
Compare
@@ -7,6 +7,8 @@ in | |||
{ | |||
inherit (pkgs) emacspeak; | |||
|
|||
emacswiki = callPackage ./manual-packages/emacswiki { }; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the motivation/benefit of adding emacswiki
?
One disadvantage is that one package, e.g., yes-no
, may remains the same even if its version changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Technically the source is the Emacswiki git repo.
Also, the Emacswiki can be kept frozen - their snippets are not being updated since decades.
To be honest I believe those packages should not be distributed by Nixpkgs.
They were removed from MELPA a long time ago because they were reputed insecure by design (anyone can edit a wiki). Some were migrated, others were effectively abandoned.
Essentially they are candidates for removal, per NixOS/rfcs#180
Many links documenting MELPA deleting Emacswiki
melpa/melpa#5034
melpa/melpa#5008
https://www.reddit.com/r/emacs/comments/7vocqa/comment/dtuhzmt/
https://www.reddit.com/r/emacs/comments/f4may5/why_melpa_has_decided_to_no_longer_accept_lisp/
https://www.reddit.com/r/emacs/comments/7suq6d/melpa_has_stopped_distributing_insecure_emacswiki/
https://www.reddit.com/r/emacs/comments/7vocqa/update_on_melpa_removing_emacswiki_packages_they/
https://www.reddit.com/r/emacs/comments/72b2ms/discussion_about_removing_all_emacswiki_packages/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, a somewhat hacky approach would be create GitHub repos for these snippets, at least the ones we want to keep on Nixpkgs. They can be easily extracted from EmacsWiki github.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Technically the source is the Emacswiki git repo.
I still do not see the benefit of inherit (emacswiki) version src;
over
src = fetchurl {
url = "https://raw.githubusercontent.com/emacsmirror/emacswiki.org/185fdc34fb1e02b43759ad933d3ee5646b0e78f8/control-lock.el";
hash = "sha256-JCrmS3FSGDHSR+eAR0X/uO0nAgd3TUmFxwEVH5+KV+4=";
};
the Emacswiki can be kept frozen - their snippets are not being updated since decades.
Not sure what you mean, but emacswiki.src
is updated frequently. See https://github.com/emacsmirror/emacswiki.org/commits/master/ .
To be honest I believe those packages should not be distributed by Nixpkgs.
They were removed from MELPA a long time ago because they were reputed insecure by design (anyone can edit a wiki).
IIUC, MELPA does not have a maintainer role for each of its packages. It just build and publish a package when there is a new version (snapshot or release). In this model, the code on wiki is indeed insecure.
Nixpkgs is different, we have meta.maintainers
for each package. In this model, the code on wiki is secure (or less insecure).
Packages with an empty meta.maintainers
can be removed or mark as insecure (with meta.knownVulnerabilities
). They can be added back if someone becomes its maintainer.
Well, a somewhat hacky approach would be create GitHub repos for these snippets, at least the ones we want to keep on Nixpkgs. They can be easily extracted from EmacsWiki github.
There is no benefit of just fetching wiki packages from another source. What matters is maintenance which is the job of meta.maintainers
.
The emacswiki = callPackage ./manual-packages/emacswiki { };
and inherit (emacswiki) version src;
pattern actually makes wiki packages in Nixpkgs less secure because their maintainer cannot control src
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure what you mean, but
emacswiki.src
is updated frequently. See https://github.com/emacsmirror/emacswiki.org/commits/master/ .
The EmacsWiki is modified potentially daily. However, most of Elisp codes aren't.
Indeed the perl-completion you cited was not touched since its inception nine years ago.
In this sense, we could just update this blob once a year.
The
emacswiki = callPackage ./manual-packages/emacswiki { };
andinherit (emacswiki) version src;
pattern actually makes wiki packages in Nixpkgs less secure because their maintainer cannot controlsrc
.
It is not hard to write something like grabEmacsWiki { rev = ""; hash = ""; }
.
Nonetheless you are correct. Let's undo this.
pkgs/applications/editors/emacs/elisp-packages/manual-packages/perl-completion/default.nix
Outdated
Show resolved
Hide resolved
@@ -7,6 +7,8 @@ in | |||
{ | |||
inherit (pkgs) emacspeak; | |||
|
|||
emacswiki = callPackage ./manual-packages/emacswiki { }; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Technically the source is the Emacswiki git repo.
I still do not see the benefit of inherit (emacswiki) version src;
over
src = fetchurl {
url = "https://raw.githubusercontent.com/emacsmirror/emacswiki.org/185fdc34fb1e02b43759ad933d3ee5646b0e78f8/control-lock.el";
hash = "sha256-JCrmS3FSGDHSR+eAR0X/uO0nAgd3TUmFxwEVH5+KV+4=";
};
the Emacswiki can be kept frozen - their snippets are not being updated since decades.
Not sure what you mean, but emacswiki.src
is updated frequently. See https://github.com/emacsmirror/emacswiki.org/commits/master/ .
To be honest I believe those packages should not be distributed by Nixpkgs.
They were removed from MELPA a long time ago because they were reputed insecure by design (anyone can edit a wiki).
IIUC, MELPA does not have a maintainer role for each of its packages. It just build and publish a package when there is a new version (snapshot or release). In this model, the code on wiki is indeed insecure.
Nixpkgs is different, we have meta.maintainers
for each package. In this model, the code on wiki is secure (or less insecure).
Packages with an empty meta.maintainers
can be removed or mark as insecure (with meta.knownVulnerabilities
). They can be added back if someone becomes its maintainer.
Well, a somewhat hacky approach would be create GitHub repos for these snippets, at least the ones we want to keep on Nixpkgs. They can be easily extracted from EmacsWiki github.
There is no benefit of just fetching wiki packages from another source. What matters is maintenance which is the job of meta.maintainers
.
The emacswiki = callPackage ./manual-packages/emacswiki { };
and inherit (emacswiki) version src;
pattern actually makes wiki packages in Nixpkgs less secure because their maintainer cannot control src
.
f697ce7
to
5af0c13
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Description of changes
#278925 (comment)
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.