diff options
author | Ludovic Courtès <ludo@gnu.org> | 2024-11-26 10:56:37 +0100 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2024-12-01 20:14:16 +0100 |
commit | 858dd7e721d69a6087375395037a86640418f1fb (patch) | |
tree | bc98b2583aa377c228dcc38b015bbaba3703ec5a | |
parent | 3dfb757a45f49dbc83769477fc8d0d88b8e71556 (diff) |
etc: Add upgrade manifest.
* guix/scripts/build.scm (dependents): Export.
* etc/upgrade-manifest.scm: New file.
* Makefile.am (EXTRA_DIST): Add it.
Change-Id: I1b2a2ebd09e559c68da9f25772bf33caacb4c031
-rw-r--r-- | Makefile.am | 1 | ||||
-rw-r--r-- | etc/upgrade-manifest.scm | 128 | ||||
-rw-r--r-- | guix/scripts/build.scm | 2 |
3 files changed, 131 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index e94ba87797..0cff32c607 100644 --- a/Makefile.am +++ b/Makefile.am @@ -743,6 +743,7 @@ EXTRA_DIST += \ etc/source-manifest.scm \ etc/system-tests.scm \ etc/time-travel-manifest.scm \ + etc/upgrade-manifest.scm \ scripts/guix.in \ tests/cve-sample.json \ tests/keys/civodul.pub \ diff --git a/etc/upgrade-manifest.scm b/etc/upgrade-manifest.scm new file mode 100644 index 0000000000..5e6d7d85e4 --- /dev/null +++ b/etc/upgrade-manifest.scm @@ -0,0 +1,128 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2024 Ludovic Courtès <ludo@gnu.org> +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. + +;; This manifest computes upgrades of key packages using updaters from (guix +;; upstream) and supporting code for the 'with-latest' transformation. + +(use-modules (guix memoization) + (guix monads) + (guix graph) + (guix packages) + (guix profiles) + (guix store) + (guix transformations) + (guix upstream) + ((guix scripts build) #:select (dependents)) + ((guix scripts graph) #:select (%bag-node-type)) + ((guix import github) #:select (%github-api)) + (guix build-system gnu) + (guix build-system cmake) + ((gnu packages) #:select (all-packages)) + + (gnu packages backup) + (gnu packages curl) + (gnu packages freedesktop) + (gnu packages gnupg) + (gnu packages ssh) + (gnu packages tls) + (gnu packages version-control) + (gnu packages xorg) + + (ice-9 match) + (srfi srfi-1)) + +;; Bypass the GitHub updater: we'd need an API token or we would hit the rate +;; limit. +(%github-api "http://example.org") + +(define security-packages + (list xorg-server + elogind + + openssl + gnutls + curl + curl-ssh + + libarchive + libgit2 + libssh + + ;; GnuPG. + libassuan + libgpg-error + libgcrypt + libksba + npth + gnupg + gpgme + pinentry)) + +(define latest-version + (mlambdaq (package) + (package-with-upstream-version package + ;; Preserve patches and snippets to get + ;; exactly the same as what we'd have with + ;; 'guix refresh -u PACKAGE'. + #:preserve-patches? #t + + ;; XXX: Disable source code authentication: + ;; this requires a local keyring, populated + ;; from key servers, but key servers may be + ;; unreliable or may lack the upstream + ;; keys. Leave it up to packagers to + ;; actually authenticate code and make sure + ;; it matches what this manifest computed. + #:authenticate? #f))) + +(define individual-security-upgrades + ;; Upgrades of individual packages with their direct dependents built + ;; against that upgrade. + (manifest + (with-store store + (append-map (lambda (package) + (let* ((name (package-name package)) + (newest (latest-version package)) + (update (package-input-rewriting + `((,package . ,newest))))) + (map (lambda (package) + (manifest-entry + (inherit (package->manifest-entry + (update package))) + (name (string-append (package-name package) + "-with-latest-" name)))) + (dependents store (list package) 1)))) + security-packages)))) + +(define joint-security-upgrades + ;; All of SECURITY-PACKAGES updated at once, together with their dependents. + (manifest + (with-store store + (let ((update-all (package-input-rewriting + (map (lambda (package) + `(,package . ,(latest-version package))) + security-packages)))) + (map (lambda (package) + (manifest-entry + (inherit (package->manifest-entry + (update-all package))) + (name (string-append (package-name package) "-full-upgrade")))) + (dependents store security-packages 2)))))) + +(concatenate-manifests + (list individual-security-upgrades joint-security-upgrades)) diff --git a/guix/scripts/build.scm b/guix/scripts/build.scm index d1368f7e48..0080f1fe58 100644 --- a/guix/scripts/build.scm +++ b/guix/scripts/build.scm @@ -63,6 +63,8 @@ show-cross-build-options-help show-native-build-options-help + dependents + guix-build register-root register-root*)) |