emacswiki snippets: cleanup #328074
emacswiki snippets: cleanup #328074
Conversation
AndersonTorres
force-pushed
the
emacswiki
branch
from
07375dd
to
aca0aec
Compare
AndersonTorres
force-pushed
the
emacswiki
branch
2 times, most recently
from
9b26aeb
to
f697ce7
Compare
| @@ -7,6 +7,8 @@ in | |||
| { | |||
| inherit (pkgs) emacspeak; | |||
|
|
|||
| emacswiki = callPackage ./manual-packages/emacswiki { }; | |||
There was a problem hiding this comment.
What is the motivation/benefit of adding emacswiki?
One disadvantage is that one package, e.g., yes-no, may remains the same even if its version changes.
There was a problem hiding this comment.
Technically the source is the Emacswiki git repo.
Also, the Emacswiki can be kept frozen - their snippets are not being updated since decades.
To be honest I believe those packages should not be distributed by Nixpkgs.
They were removed from MELPA a long time ago because they were reputed insecure by design (anyone can edit a wiki). Some were migrated, others were effectively abandoned.
Essentially they are candidates for removal, per NixOS/rfcs#180
Many links documenting MELPA deleting Emacswiki
melpa/melpa#5034
melpa/melpa#5008
https://www.reddit.com/r/emacs/comments/7vocqa/comment/dtuhzmt/
https://www.reddit.com/r/emacs/comments/f4may5/why_melpa_has_decided_to_no_longer_accept_lisp/
https://www.reddit.com/r/emacs/comments/7suq6d/melpa_has_stopped_distributing_insecure_emacswiki/
https://www.reddit.com/r/emacs/comments/7vocqa/update_on_melpa_removing_emacswiki_packages_they/
https://www.reddit.com/r/emacs/comments/72b2ms/discussion_about_removing_all_emacswiki_packages/
There was a problem hiding this comment.
Well, a somewhat hacky approach would be create GitHub repos for these snippets, at least the ones we want to keep on Nixpkgs. They can be easily extracted from EmacsWiki github.
There was a problem hiding this comment.
Technically the source is the Emacswiki git repo.
I still do not see the benefit of inherit (emacswiki) version src; over
src = fetchurl {
url = "https://raw.githubusercontent.com/emacsmirror/emacswiki.org/185fdc34fb1e02b43759ad933d3ee5646b0e78f8/control-lock.el";
hash = "sha256-JCrmS3FSGDHSR+eAR0X/uO0nAgd3TUmFxwEVH5+KV+4=";
};the Emacswiki can be kept frozen - their snippets are not being updated since decades.
Not sure what you mean, but emacswiki.src is updated frequently. See https://github.com/emacsmirror/emacswiki.org/commits/master/ .
To be honest I believe those packages should not be distributed by Nixpkgs.
They were removed from MELPA a long time ago because they were reputed insecure by design (anyone can edit a wiki).
IIUC, MELPA does not have a maintainer role for each of its packages. It just build and publish a package when there is a new version (snapshot or release). In this model, the code on wiki is indeed insecure.
Nixpkgs is different, we have meta.maintainers for each package. In this model, the code on wiki is secure (or less insecure).
Packages with an empty meta.maintainers can be removed or mark as insecure (with meta.knownVulnerabilities). They can be added back if someone becomes its maintainer.
Well, a somewhat hacky approach would be create GitHub repos for these snippets, at least the ones we want to keep on Nixpkgs. They can be easily extracted from EmacsWiki github.
There is no benefit of just fetching wiki packages from another source. What matters is maintenance which is the job of meta.maintainers.
The emacswiki = callPackage ./manual-packages/emacswiki { }; and inherit (emacswiki) version src; pattern actually makes wiki packages in Nixpkgs less secure because their maintainer cannot control src.
There was a problem hiding this comment.
Not sure what you mean, but
emacswiki.srcis updated frequently. See https://github.com/emacsmirror/emacswiki.org/commits/master/ .
The EmacsWiki is modified potentially daily. However, most of Elisp codes aren't.
Indeed the perl-completion you cited was not touched since its inception nine years ago.
In this sense, we could just update this blob once a year.
The
emacswiki = callPackage ./manual-packages/emacswiki { };andinherit (emacswiki) version src;pattern actually makes wiki packages in Nixpkgs less secure because their maintainer cannot controlsrc.
It is not hard to write something like grabEmacsWiki { rev = ""; hash = ""; }.
Nonetheless you are correct. Let's undo this.
pkgs/applications/editors/emacs/elisp-packages/manual-packages/perl-completion/default.nix
Outdated
Show resolved
Hide resolved
| @@ -7,6 +7,8 @@ in | |||
| { | |||
| inherit (pkgs) emacspeak; | |||
|
|
|||
| emacswiki = callPackage ./manual-packages/emacswiki { }; | |||
There was a problem hiding this comment.
Technically the source is the Emacswiki git repo.
I still do not see the benefit of inherit (emacswiki) version src; over
src = fetchurl {
url = "https://raw.githubusercontent.com/emacsmirror/emacswiki.org/185fdc34fb1e02b43759ad933d3ee5646b0e78f8/control-lock.el";
hash = "sha256-JCrmS3FSGDHSR+eAR0X/uO0nAgd3TUmFxwEVH5+KV+4=";
};the Emacswiki can be kept frozen - their snippets are not being updated since decades.
Not sure what you mean, but emacswiki.src is updated frequently. See https://github.com/emacsmirror/emacswiki.org/commits/master/ .
To be honest I believe those packages should not be distributed by Nixpkgs.
They were removed from MELPA a long time ago because they were reputed insecure by design (anyone can edit a wiki).
IIUC, MELPA does not have a maintainer role for each of its packages. It just build and publish a package when there is a new version (snapshot or release). In this model, the code on wiki is indeed insecure.
Nixpkgs is different, we have meta.maintainers for each package. In this model, the code on wiki is secure (or less insecure).
Packages with an empty meta.maintainers can be removed or mark as insecure (with meta.knownVulnerabilities). They can be added back if someone becomes its maintainer.
Well, a somewhat hacky approach would be create GitHub repos for these snippets, at least the ones we want to keep on Nixpkgs. They can be easily extracted from EmacsWiki github.
There is no benefit of just fetching wiki packages from another source. What matters is maintenance which is the job of meta.maintainers.
The emacswiki = callPackage ./manual-packages/emacswiki { }; and inherit (emacswiki) version src; pattern actually makes wiki packages in Nixpkgs less secure because their maintainer cannot control src.
AndersonTorres
force-pushed
the
emacswiki
branch
from
f697ce7
to
5af0c13
Compare
AndersonTorres
changed the title
Description of changes
#278925 (comment)
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.