pavucontrol: use gitlab source, clean up #142236
Conversation
|
How come the autoreconfhook needed to be added with |
|
Result of 2 packages built:
|
|
Traditionally, the package maintainer runs autoconf before generating the tarball. |
|
Why change the source? |
|
the tarball seems to have a lot more files tarball files ignoring *.po$ exa -TI '*.po' --group-directories-first pavucontrol-5.0
pavucontrol-5.0
├── doc
│ ├── Makefile.am
│ ├── Makefile.in
│ ├── README
│ ├── README.html
│ ├── README.html.in
│ └── style.css
├── m4
│ ├── ax_cxx_compile_stdcxx.m4
│ ├── ax_cxx_compile_stdcxx_11.m4
│ ├── intltool.m4
│ └── zp_lynx_doc.m4
├── po
│ ├── LINGUAS
│ ├── Makefile.in.in
│ ├── pavucontrol.pot
│ └── POTFILES.in
├── src
│ ├── cardwidget.cc
│ ├── cardwidget.h
│ ├── channelwidget.cc
│ ├── channelwidget.h
│ ├── devicewidget.cc
│ ├── devicewidget.h
│ ├── i18n.h
│ ├── mainwindow.cc
│ ├── mainwindow.h
│ ├── Makefile.am
│ ├── Makefile.in
│ ├── minimalstreamwidget.cc
│ ├── minimalstreamwidget.h
│ ├── pavuapplication.cc
│ ├── pavuapplication.h
│ ├── pavucontrol.cc
│ ├── pavucontrol.desktop.in
│ ├── pavucontrol.glade
│ ├── pavucontrol.h
│ ├── rolewidget.cc
│ ├── rolewidget.h
│ ├── sinkinputwidget.cc
│ ├── sinkinputwidget.h
│ ├── sinkwidget.cc
│ ├── sinkwidget.h
│ ├── sourceoutputwidget.cc
│ ├── sourceoutputwidget.h
│ ├── sourcewidget.cc
│ ├── sourcewidget.h
│ ├── streamwidget.cc
│ └── streamwidget.h
├── aclocal.m4
├── bootstrap.sh
├── compile
├── config.h.in
├── configure
├── configure.ac
├── depcomp
├── install-sh
├── intltool-extract.in
├── intltool-merge.in
├── intltool-update.in
├── LICENSE
├── Makefile.am
├── Makefile.in
├── missing
└── README |
ofborg
bot
added
10.rebuild-darwin: 0
gitlab has a interface which makes it easier to look at the code, |
|
And it's more idiomatic, in the future we could also more easily switch to arbitrary revisions, should the need arise. |
You can point to this in meta.homepage. (Or, to an actual home page which presumably links to the code browser.) src is for downloading the code, not telling people where to look at it in a web browser.
It is not more idiomatic. For it to be idiomatic, it would have to be in line with existing practice, and nixpkgs we very frequently use tarballs when they are available. See also #124974. |
The current homepage is correct, and it includes links to the gitlab. It does have a link to the original source as a downloadable form, but there is not easy way to look at the files without downloading the tarball |
|
Isn't there a case to be made for security? That's just my two cents, it seems like this is common practice so there's probably little reason to worry - and an incredibly nitpicking issue from me 😄 |
And why is this a problem? Also, it's quite common for us to use release tarballs (I mean there's a reason why upstream developers prepare those), so I don't see why these are bad.
If we don't trust the upstream devs (i.e. the folks who maintain the source and prepare the tarballs in question), then we should stop using their code, right? ;-)
Sounds like premature-optimization (although I wouldn't call it optimization in this case) to me. Also - from my experience at least - we usually apply patches to e.g. incorporate important bugfixes or security fixes. All in all, this doesn't seem useful to me, so 👎 from my side. |
|
I guess we can close this |
I personally agree with this and you don't have to suspect malicious intent of the maintainers. Maybe they have a virus on their PC or accidentally used an old vulnerable version of some build tool. Or they didn't clone the latest revision of their project with a fix. Maybe their download server was vulnerable (well you could argue this could happen with gitlab etc too but then the commit hash wouldn't match and that's easier to detect as there need to be valid commits etc (signed in the best case).) There are literally a million additional attack vectors and for autoconf software I don't this the additional effort here is that large. |
|
Would need an RFC though I think |
My point is, if we assume that an upstream developer is somehow compromised, we cannot assume that only the release tarballs are affected. |
That is correct but I would assume that the git repositories are more closely watched and reviewed than the release artifacts. Anyways feel free to discuss this further but I think the most useful thing would be if somebody would open an RFC about this. |
|
It's also harder to verify release tarballs, because a minor version change (or different implementation) in any of the tools used to generate it will likely result in a different hash and make it impossible to compare your local release tarball with the one found upstream. |
|
It's also harder to verify release tarballs, because a minor version change (or different implementation) in any of the tools used to generate it will result in a different hash and make it impossible to compare your local release tarball with the one found upstream.
This is true, but on the other hand, hashes of git-archive(1) tarballs
(used by GitHub and GitLab) can also change unexpectedly because of
software updates on their end, or export-subst (a horrible git
misfeature).
I do think that building from Git instead of release tarballs might be a
good practice to adopt, but as I've said before, we shouldn't be
adopting it piecemeal and should make a concious decision to do so, with
a policy that can be applied as uniform
|
Motivation for this change
follow up of #142220
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)