[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Finding versions of packages (was: [outreachy] Walk through the Git hist

From: Ryan Prior
Subject: Finding versions of packages (was: [outreachy] Walk through the Git history)
Date: Sat, 12 Dec 2020 22:08:46 +0000

Hi there! I've been following the "guix git" discourse with interest because I know a lot of people who care about pinning packages to specific versions and selecting specific versions of software to install. This constituency currently relies heavily on systems like rvm, nvm, and conda to manage the available versions of libraries and runtimes they care about.

The proposal to add a "guix git" command to help find old versions of packages seems unnecessarily indirect to me. Certainly you can learn interesting things about the history of Guix packages using the git log,  but that doesn't address the questions "which versions of this software are available and how to I use them" except via an abstraction that depends on the operator's tacit knowledge, including what "git" is and how to read git commits. We can do better.

I propose a different approach: the "guix versions" subcommand provides direct answers to practical user questions.
- What package versions are available?
- How do I use them?
- Which versions are known to be vulnerable?
- Which have available substitutes?

For example, the command "guix versions esbuild" can provide this output:
name: esbuild
version: 0.8.21
guix-hash: eee3af86c7

name: esbuild
version: 0.8.19
guix-hash: 6374a25357

name: esbuild
version: 0.8.16
guix-hash: 8c3caf9c5d
vulnerabilities: cve-2020-1337, cve-2019-1024
...and so on.

Then, to make the output directly actionable, we extend Guix to accept recfile manifests following the same structure, such that given the following file "packages.rec:"
name: esbuild
version: 0.8.19
guix-hash: 6374a25357

name: python-html5lib
version: 1.1
guix-hash: 6374a25357

…we can use those exact packages using "guix environment -m packages.rec", or find which of those packages have substitutes using "guix weather -m packages.rec"

I make this proposal because I perceive the following advantages:
- It makes no the assumption that the operator knows what git is, cares about the internal git structure of Guix, wants to read git commits, or wants to master the details of the internal "inferiors" mechanism we use to provide this functionality.
- It answers directly the operator's practical questions rather than providing oblique advice which depend upon the operator's tacit knowledge.
- The user can act immediately upon the output of the command to create a manifest that represents the software they want to use.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]