d774c7b121
Suggested by Ricardo Wurmus and Simon Tournier. * guix/channels.scm (sexp->channel-introduction): New procedure. (read-channel-metadata): Use it. (profile-channels)[sexp->channel-introduction]: Remove. * tests/channels.scm ("latest-channel-instances, authenticate dependency"): New test. * doc/guix.texi (Channels)[Declaring Channel Dependencies]: Augment example.
1105 lines
46 KiB
Scheme
1105 lines
46 KiB
Scheme
;;; GNU Guix --- Functional package management for GNU
|
||
;;; Copyright © 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
|
||
;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
|
||
;;; Copyright © 2019 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
|
||
;;;
|
||
;;; This file is part of GNU Guix.
|
||
;;;
|
||
;;; GNU Guix is free software; you can redistribute it and/or modify it
|
||
;;; under the terms of the GNU General Public License as published by
|
||
;;; the Free Software Foundation; either version 3 of the License, or (at
|
||
;;; your option) any later version.
|
||
;;;
|
||
;;; GNU Guix is distributed in the hope that it will be useful, but
|
||
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
;;; GNU General Public License for more details.
|
||
;;;
|
||
;;; You should have received a copy of the GNU General Public License
|
||
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
|
||
|
||
(define-module (guix channels)
|
||
#:use-module (git)
|
||
#:use-module (guix git)
|
||
#:use-module (guix git-authenticate)
|
||
#:use-module ((guix openpgp)
|
||
#:select (openpgp-public-key-fingerprint
|
||
openpgp-format-fingerprint))
|
||
#:use-module (guix base16)
|
||
#:use-module (guix records)
|
||
#:use-module (guix gexp)
|
||
#:use-module (guix modules)
|
||
#:use-module (guix discovery)
|
||
#:use-module (guix monads)
|
||
#:use-module (guix profiles)
|
||
#:use-module (guix packages)
|
||
#:use-module (guix progress)
|
||
#:use-module (guix derivations)
|
||
#:use-module (guix combinators)
|
||
#:use-module (guix diagnostics)
|
||
#:use-module (guix sets)
|
||
#:use-module (guix store)
|
||
#:use-module (guix i18n)
|
||
#:use-module ((guix utils)
|
||
#:select (source-properties->location
|
||
&error-location
|
||
&fix-hint))
|
||
#:use-module (srfi srfi-1)
|
||
#:use-module (srfi srfi-2)
|
||
#:use-module (srfi srfi-9)
|
||
#:use-module (srfi srfi-11)
|
||
#:use-module (srfi srfi-26)
|
||
#:use-module (srfi srfi-34)
|
||
#:use-module (srfi srfi-35)
|
||
#:autoload (guix self) (whole-package make-config.scm)
|
||
#:autoload (guix inferior) (gexp->derivation-in-inferior) ;FIXME: circular dep
|
||
#:autoload (guix quirks) (%quirks %patches applicable-patch? apply-patch)
|
||
#:use-module (ice-9 format)
|
||
#:use-module (ice-9 match)
|
||
#:use-module (ice-9 vlist)
|
||
#:use-module ((ice-9 rdelim) #:select (read-string))
|
||
#:use-module ((rnrs bytevectors) #:select (bytevector=?))
|
||
#:export (channel
|
||
channel?
|
||
channel-name
|
||
channel-url
|
||
channel-branch
|
||
channel-commit
|
||
channel-introduction
|
||
channel-location
|
||
|
||
channel-introduction?
|
||
make-channel-introduction
|
||
channel-introduction-first-signed-commit
|
||
channel-introduction-first-commit-signer
|
||
|
||
openpgp-fingerprint->bytevector
|
||
openpgp-fingerprint
|
||
|
||
%default-channels
|
||
guix-channel?
|
||
|
||
channel-instance?
|
||
channel-instance-channel
|
||
channel-instance-commit
|
||
channel-instance-checkout
|
||
|
||
authenticate-channel
|
||
latest-channel-instances
|
||
checkout->channel-instance
|
||
latest-channel-derivation
|
||
channel-instances->manifest
|
||
%channel-profile-hooks
|
||
channel-instances->derivation
|
||
ensure-forward-channel-update
|
||
|
||
profile-channels
|
||
|
||
channel-news-entry?
|
||
channel-news-entry-commit
|
||
channel-news-entry-tag
|
||
channel-news-entry-title
|
||
channel-news-entry-body
|
||
|
||
channel-news-for-commit))
|
||
|
||
;;; Commentary:
|
||
;;;
|
||
;;; This module implements "channels." A channel is usually a source of
|
||
;;; package definitions. There's a special channel, the 'guix' channel, that
|
||
;;; provides all of Guix, including its commands and its documentation.
|
||
;;; User-defined channels are expected to typically provide a bunch of .scm
|
||
;;; files meant to be added to the '%package-search-path'.
|
||
;;;
|
||
;;; This module provides tools to fetch and update channels from a Git
|
||
;;; repository and to build them.
|
||
;;;
|
||
;;; Code:
|
||
|
||
(define-record-type* <channel> channel make-channel
|
||
channel?
|
||
(name channel-name)
|
||
(url channel-url)
|
||
(branch channel-branch (default "master"))
|
||
(commit channel-commit (default #f))
|
||
(introduction channel-introduction (default #f))
|
||
(location channel-location
|
||
(default (current-source-location)) (innate)))
|
||
|
||
;; Channel introductions. A "channel introduction" provides a commit/signer
|
||
;; pair that specifies the first commit of the authentication process as well
|
||
;; as its signer's fingerprint. Introductions are used to bootstrap trust in
|
||
;; a channel.
|
||
(define-record-type <channel-introduction>
|
||
(%make-channel-introduction first-signed-commit first-commit-signer)
|
||
channel-introduction?
|
||
(first-signed-commit channel-introduction-first-signed-commit) ;hex string
|
||
(first-commit-signer channel-introduction-first-commit-signer)) ;bytevector
|
||
|
||
(define (make-channel-introduction commit signer)
|
||
"Return a new channel introduction: COMMIT is the introductory where
|
||
authentication starts, and SIGNER is the OpenPGP fingerprint (a bytevector) of
|
||
the signer of that commit."
|
||
(%make-channel-introduction commit signer))
|
||
|
||
(define (openpgp-fingerprint->bytevector str)
|
||
"Convert STR, an OpenPGP fingerprint (hexadecimal string with whitespace),
|
||
to the corresponding bytevector."
|
||
(base16-string->bytevector
|
||
(string-downcase (string-filter char-set:hex-digit str))))
|
||
|
||
(define-syntax openpgp-fingerprint
|
||
(lambda (s)
|
||
"Convert STR, an OpenPGP fingerprint (hexadecimal string with whitespace),
|
||
to the corresponding bytevector."
|
||
(syntax-case s ()
|
||
((_ str)
|
||
(string? (syntax->datum #'str))
|
||
(openpgp-fingerprint->bytevector (syntax->datum #'str)))
|
||
((_ str)
|
||
#'(openpgp-fingerprint->bytevector str)))))
|
||
|
||
(define %guix-channel-introduction
|
||
;; Introduction of the official 'guix channel. The chosen commit is the
|
||
;; first one that introduces '.guix-authorizations' on the 'staging'
|
||
;; branch that was eventually merged in 'master'. Any branch starting
|
||
;; before that commit cannot be merged or it will be rejected by 'guix pull'
|
||
;; & co.
|
||
(make-channel-introduction
|
||
"9edb3f66fd807b096b48283debdcddccfea34bad" ;2020-05-26
|
||
(openpgp-fingerprint ;mbakke
|
||
"BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA")))
|
||
|
||
(define %default-channel-url
|
||
;; URL of the default 'guix' channel.
|
||
"https://git.savannah.gnu.org/git/guix.git")
|
||
|
||
(define %default-channels
|
||
;; Default list of channels.
|
||
(list (channel
|
||
(name 'guix)
|
||
(branch "master")
|
||
(url %default-channel-url)
|
||
(introduction %guix-channel-introduction))))
|
||
|
||
(define (guix-channel? channel)
|
||
"Return true if CHANNEL is the 'guix' channel."
|
||
(eq? 'guix (channel-name channel)))
|
||
|
||
(define (ensure-default-introduction chan)
|
||
"If CHAN represents the \"official\" 'guix' channel and lacks an
|
||
introduction, add it."
|
||
(if (and (guix-channel? chan)
|
||
(not (channel-introduction chan))
|
||
(string=? (channel-url chan) %default-channel-url))
|
||
(channel (inherit chan)
|
||
(introduction %guix-channel-introduction))
|
||
chan))
|
||
|
||
(define-record-type <channel-instance>
|
||
(channel-instance channel commit checkout)
|
||
channel-instance?
|
||
(channel channel-instance-channel)
|
||
(commit channel-instance-commit)
|
||
(checkout channel-instance-checkout))
|
||
|
||
(define-record-type <channel-metadata>
|
||
(channel-metadata directory dependencies news-file keyring-reference url)
|
||
channel-metadata?
|
||
(directory channel-metadata-directory) ;string with leading slash
|
||
(dependencies channel-metadata-dependencies) ;list of <channel>
|
||
(news-file channel-metadata-news-file) ;string | #f
|
||
(keyring-reference channel-metadata-keyring-reference) ;string
|
||
(url channel-metadata-url)) ;string | #f
|
||
|
||
(define %default-keyring-reference
|
||
;; Default value of the 'keyring-reference' field.
|
||
"keyring")
|
||
|
||
(define (channel-reference channel)
|
||
"Return the \"reference\" for CHANNEL, an sexp suitable for
|
||
'latest-repository-commit'."
|
||
(match (channel-commit channel)
|
||
(#f `(branch . ,(channel-branch channel)))
|
||
(commit `(commit . ,(channel-commit channel)))))
|
||
|
||
(define sexp->channel-introduction
|
||
(match-lambda
|
||
(('channel-introduction ('version 0)
|
||
('commit commit) ('signer signer)
|
||
_ ...)
|
||
(make-channel-introduction commit (openpgp-fingerprint signer)))
|
||
(x #f)))
|
||
|
||
(define (read-channel-metadata port)
|
||
"Read from PORT channel metadata in the format expected for the
|
||
'.guix-channel' file. Return a <channel-metadata> record, or raise an error
|
||
if valid metadata could not be read from PORT."
|
||
(match (read port)
|
||
(('channel ('version 0) properties ...)
|
||
(let ((directory (and=> (assoc-ref properties 'directory) first))
|
||
(dependencies (or (assoc-ref properties 'dependencies) '()))
|
||
(news-file (and=> (assoc-ref properties 'news-file) first))
|
||
(url (and=> (assoc-ref properties 'url) first))
|
||
(keyring-reference
|
||
(or (and=> (assoc-ref properties 'keyring-reference) first)
|
||
%default-keyring-reference)))
|
||
(channel-metadata
|
||
(cond ((not directory) "/") ;directory
|
||
((string-prefix? "/" directory) directory)
|
||
(else (string-append "/" directory)))
|
||
(map (lambda (item) ;dependencies
|
||
(let ((get (lambda* (key #:optional default)
|
||
(or (and=> (assoc-ref item key) first) default))))
|
||
(and-let* ((name (get 'name))
|
||
(url (get 'url))
|
||
(branch (get 'branch "master")))
|
||
(channel
|
||
(name name)
|
||
(branch branch)
|
||
(url url)
|
||
(commit (get 'commit))
|
||
(introduction (and=> (get 'introduction)
|
||
sexp->channel-introduction))))))
|
||
dependencies)
|
||
news-file
|
||
keyring-reference
|
||
url)))
|
||
((and ('channel ('version version) _ ...) sexp)
|
||
(raise (condition
|
||
(&message (message "unsupported '.guix-channel' version"))
|
||
(&error-location
|
||
(location (source-properties->location
|
||
(source-properties sexp)))))))
|
||
(sexp
|
||
(raise (condition
|
||
(&message (message "invalid '.guix-channel' file"))
|
||
(&error-location
|
||
(location (source-properties->location
|
||
(source-properties sexp)))))))))
|
||
|
||
(define (read-channel-metadata-from-source source)
|
||
"Return a channel-metadata record read from channel's SOURCE/.guix-channel
|
||
description file, or return the default channel-metadata record if that file
|
||
doesn't exist."
|
||
(catch 'system-error
|
||
(lambda ()
|
||
(call-with-input-file (string-append source "/.guix-channel")
|
||
read-channel-metadata))
|
||
(lambda args
|
||
(if (= ENOENT (system-error-errno args))
|
||
(channel-metadata "/" '() #f %default-keyring-reference #f)
|
||
(apply throw args)))))
|
||
|
||
(define (channel-instance-metadata instance)
|
||
"Return a channel-metadata record read from the channel INSTANCE's
|
||
description file or its default value."
|
||
(read-channel-metadata-from-source (channel-instance-checkout instance)))
|
||
|
||
(define (channel-instance-dependencies instance)
|
||
"Return the list of channels that are declared as dependencies for the given
|
||
channel INSTANCE."
|
||
(channel-metadata-dependencies (channel-instance-metadata instance)))
|
||
|
||
(define (apply-patches checkout commit patches)
|
||
"Apply the matching PATCHES to CHECKOUT, modifying files in place. The
|
||
result is unspecified."
|
||
(let loop ((patches patches))
|
||
(match patches
|
||
(() #t)
|
||
((patch rest ...)
|
||
(when (applicable-patch? patch checkout commit)
|
||
(apply-patch patch checkout))
|
||
(loop rest)))))
|
||
|
||
(define commit-short-id
|
||
(compose (cut string-take <> 7) oid->string commit-id))
|
||
|
||
(define (verify-introductory-commit repository introduction keyring)
|
||
"Raise an exception if the first commit described in INTRODUCTION doesn't
|
||
have the expected signer."
|
||
(define commit-id
|
||
(channel-introduction-first-signed-commit introduction))
|
||
|
||
(define actual-signer
|
||
(openpgp-public-key-fingerprint
|
||
(commit-signing-key repository (string->oid commit-id)
|
||
keyring)))
|
||
|
||
(define expected-signer
|
||
(channel-introduction-first-commit-signer introduction))
|
||
|
||
(unless (bytevector=? expected-signer actual-signer)
|
||
(raise (condition
|
||
(&message
|
||
(message (format #f (G_ "initial commit ~a is signed by '~a' \
|
||
instead of '~a'")
|
||
commit-id
|
||
(openpgp-format-fingerprint actual-signer)
|
||
(openpgp-format-fingerprint expected-signer))))))))
|
||
|
||
(define* (authenticate-channel channel checkout commit
|
||
#:key (keyring-reference-prefix "origin/"))
|
||
"Authenticate the given COMMIT of CHANNEL, available at CHECKOUT, a
|
||
directory containing a CHANNEL checkout. Raise an error if authentication
|
||
fails."
|
||
;; XXX: Too bad we need to re-open CHECKOUT.
|
||
(with-repository checkout repository
|
||
(define start-commit
|
||
(commit-lookup repository
|
||
(string->oid
|
||
(channel-introduction-first-signed-commit
|
||
(channel-introduction channel)))))
|
||
|
||
(define end-commit
|
||
(commit-lookup repository (string->oid commit)))
|
||
|
||
(define cache-key
|
||
(string-append "channels/" (symbol->string (channel-name channel))))
|
||
|
||
(define keyring-reference
|
||
(channel-metadata-keyring-reference
|
||
(read-channel-metadata-from-source checkout)))
|
||
|
||
(define keyring
|
||
(load-keyring-from-reference repository
|
||
(string-append keyring-reference-prefix
|
||
keyring-reference)))
|
||
|
||
(define authenticated-commits
|
||
;; Previously-authenticated commits that don't need to be checked again.
|
||
(filter-map (lambda (id)
|
||
(false-if-exception
|
||
(commit-lookup repository (string->oid id))))
|
||
(previously-authenticated-commits cache-key)))
|
||
|
||
(define commits
|
||
;; Commits to authenticate, excluding the closure of
|
||
;; AUTHENTICATED-COMMITS.
|
||
(commit-difference end-commit start-commit
|
||
authenticated-commits))
|
||
|
||
(define reporter
|
||
(progress-reporter/bar (length commits)))
|
||
|
||
;; When COMMITS is empty, it's because END-COMMIT is in the closure of
|
||
;; START-COMMIT and/or AUTHENTICATED-COMMITS, in which case it's known to
|
||
;; be authentic already.
|
||
(unless (null? commits)
|
||
(format (current-error-port)
|
||
(G_ "Authenticating channel '~a', \
|
||
commits ~a to ~a (~h new commits)...~%")
|
||
(channel-name channel)
|
||
(commit-short-id start-commit)
|
||
(commit-short-id end-commit)
|
||
(length commits))
|
||
|
||
;; If it's our first time, verify CHANNEL's introductory commit.
|
||
(when (null? authenticated-commits)
|
||
(verify-introductory-commit repository
|
||
(channel-introduction channel)
|
||
keyring))
|
||
|
||
(call-with-progress-reporter reporter
|
||
(lambda (report)
|
||
(authenticate-commits repository commits
|
||
#:keyring keyring
|
||
#:report-progress report)))
|
||
|
||
(cache-authenticated-commit cache-key
|
||
(oid->string
|
||
(commit-id end-commit))))))
|
||
|
||
(define* (latest-channel-instance store channel
|
||
#:key (patches %patches)
|
||
starting-commit
|
||
(authenticate? #f)
|
||
(validate-pull
|
||
ensure-forward-channel-update))
|
||
"Return the latest channel instance for CHANNEL. When STARTING-COMMIT is
|
||
true, call VALIDATE-PULL with CHANNEL, STARTING-COMMIT, the target commit, and
|
||
their relation. When AUTHENTICATE? is false, CHANNEL is not authenticated."
|
||
(define (dot-git? file stat)
|
||
(and (string=? (basename file) ".git")
|
||
(eq? 'directory (stat:type stat))))
|
||
|
||
(let-values (((channel)
|
||
(ensure-default-introduction channel))
|
||
((checkout commit relation)
|
||
(update-cached-checkout (channel-url channel)
|
||
#:ref (channel-reference channel)
|
||
#:starting-commit starting-commit)))
|
||
(when relation
|
||
(validate-pull channel starting-commit commit relation))
|
||
|
||
(if authenticate?
|
||
(if (channel-introduction channel)
|
||
(authenticate-channel channel checkout commit)
|
||
;; TODO: Warn for all the channels once the authentication interface
|
||
;; is public.
|
||
(when (guix-channel? channel)
|
||
(raise (condition
|
||
(&message
|
||
(message (format #f (G_ "channel '~a' lacks an \
|
||
introduction and cannot be authenticated~%")
|
||
(channel-name channel))))
|
||
(&fix-hint
|
||
(hint (G_ "Add the missing introduction to your
|
||
channels file to address the issue. Alternatively, you can pass
|
||
@option{--disable-authentication}, at the risk of running unauthenticated and
|
||
thus potentially malicious code.")))))))
|
||
(warning (G_ "channel authentication disabled~%")))
|
||
|
||
(when (guix-channel? channel)
|
||
;; Apply the relevant subset of PATCHES directly in CHECKOUT. This is
|
||
;; safe to do because 'switch-to-ref' eventually does a hard reset.
|
||
(apply-patches checkout commit patches))
|
||
|
||
(let* ((name (url+commit->name (channel-url channel) commit))
|
||
(checkout (add-to-store store name #t "sha256" checkout
|
||
#:select? (negate dot-git?))))
|
||
(channel-instance channel commit checkout))))
|
||
|
||
(define (ensure-forward-channel-update channel start commit relation)
|
||
"Raise an error if RELATION is not 'ancestor, meaning that START is not an
|
||
ancestor of COMMIT, unless CHANNEL specifies a commit.
|
||
|
||
This procedure implements a channel update policy meant to be used as a
|
||
#:validate-pull argument."
|
||
(match relation
|
||
('ancestor #t)
|
||
('self #t)
|
||
(_
|
||
(raise (make-compound-condition
|
||
(condition
|
||
(&message (message
|
||
(format #f (G_ "\
|
||
aborting update of channel '~a' to commit ~a, which is not a descendant of ~a")
|
||
(channel-name channel)
|
||
commit start))))
|
||
|
||
;; If the user asked for a specific commit, they might want
|
||
;; that to happen nevertheless, so tell them about the
|
||
;; relevant 'guix pull' option.
|
||
(if (channel-commit channel)
|
||
(condition
|
||
(&fix-hint
|
||
(hint (G_ "Use @option{--allow-downgrades} to force
|
||
this downgrade."))))
|
||
(condition
|
||
(&fix-hint
|
||
(hint (G_ "This could indicate that the channel has
|
||
been tampered with and is trying to force a roll-back, preventing you from
|
||
getting the latest updates. If you think this is not the case, explicitly
|
||
allow non-forward updates."))))))))))
|
||
|
||
(define (channel-instance-primary-url instance)
|
||
"Return the primary URL advertised for INSTANCE, or #f if there is no such
|
||
information."
|
||
(channel-metadata-url (channel-instance-metadata instance)))
|
||
|
||
(define* (latest-channel-instances store channels
|
||
#:key
|
||
(current-channels '())
|
||
(authenticate? #t)
|
||
(validate-pull
|
||
ensure-forward-channel-update))
|
||
"Return a list of channel instances corresponding to the latest checkouts of
|
||
CHANNELS and the channels on which they depend.
|
||
|
||
When AUTHENTICATE? is true, authenticate the subset of CHANNELS that has a
|
||
\"channel introduction\".
|
||
|
||
CURRENT-CHANNELS is the list of currently used channels. It is compared
|
||
against the newly-fetched instances of CHANNELS, and VALIDATE-PULL is called
|
||
for each channel update and can choose to emit warnings or raise an error,
|
||
depending on the policy it implements."
|
||
;; Only process channels that are unique, or that are more specific than a
|
||
;; previous channel specification.
|
||
(define (ignore? channel others)
|
||
(member channel others
|
||
(lambda (a b)
|
||
(and (eq? (channel-name a) (channel-name b))
|
||
(or (channel-commit b)
|
||
(not (or (channel-commit a)
|
||
(channel-commit b))))))))
|
||
|
||
(define (current-commit name)
|
||
;; Return the current commit for channel NAME.
|
||
(any (lambda (channel)
|
||
(and (eq? (channel-name channel) name)
|
||
(channel-commit channel)))
|
||
current-channels))
|
||
|
||
(let loop ((channels channels)
|
||
(previous-channels '()))
|
||
;; Accumulate a list of instances. A list of processed channels is also
|
||
;; accumulated to decide on duplicate channel specifications.
|
||
(define-values (resulting-channels instances)
|
||
(fold2 (lambda (channel previous-channels instances)
|
||
(if (ignore? channel previous-channels)
|
||
(values previous-channels instances)
|
||
(begin
|
||
(format (current-error-port)
|
||
(G_ "Updating channel '~a' from Git repository at '~a'...~%")
|
||
(channel-name channel)
|
||
(channel-url channel))
|
||
(let* ((current (current-commit (channel-name channel)))
|
||
(instance
|
||
(latest-channel-instance store channel
|
||
#:authenticate?
|
||
authenticate?
|
||
#:validate-pull
|
||
validate-pull
|
||
#:starting-commit
|
||
current)))
|
||
(when authenticate?
|
||
;; CHANNEL is authenticated so we can trust the
|
||
;; primary URL advertised in its metadata and warn
|
||
;; about possibly stale mirrors.
|
||
(let ((primary-url (channel-instance-primary-url
|
||
instance)))
|
||
(unless (or (not primary-url)
|
||
(channel-commit channel)
|
||
(string=? primary-url (channel-url channel)))
|
||
(warning (G_ "pulled channel '~a' from a mirror \
|
||
of ~a, which might be stale~%")
|
||
(channel-name channel)
|
||
primary-url))))
|
||
|
||
(let-values (((new-instances new-channels)
|
||
(loop (channel-instance-dependencies instance)
|
||
previous-channels)))
|
||
(values (append (cons channel new-channels)
|
||
previous-channels)
|
||
(append (cons instance new-instances)
|
||
instances)))))))
|
||
previous-channels
|
||
'() ;instances
|
||
channels))
|
||
|
||
(let ((instance-name (compose channel-name channel-instance-channel)))
|
||
;; Remove all earlier channel specifications if they are followed by a
|
||
;; more specific one.
|
||
(values (delete-duplicates instances
|
||
(lambda (a b)
|
||
(eq? (instance-name a) (instance-name b))))
|
||
resulting-channels))))
|
||
|
||
(define* (checkout->channel-instance checkout
|
||
#:key commit
|
||
(url checkout) (name 'guix))
|
||
"Return a channel instance for CHECKOUT, which is assumed to be a checkout
|
||
of COMMIT at URL. Use NAME as the channel name."
|
||
(let* ((commit (or commit (make-string 40 #\0)))
|
||
(channel (channel (name name)
|
||
(commit commit)
|
||
(url url))))
|
||
(channel-instance channel commit checkout)))
|
||
|
||
(define %self-build-file
|
||
;; The file containing code to build Guix. This serves the same purpose as
|
||
;; a makefile, and, similarly, is intended to always keep this name.
|
||
"build-aux/build-self.scm")
|
||
|
||
(define %pull-version
|
||
;; This is the version of the 'guix pull' protocol. It specifies what's
|
||
;; expected from %SELF-BUILD-FILE. The initial version ("0") was when we'd
|
||
;; place a set of compiled Guile modules in ~/.config/guix/latest.
|
||
1)
|
||
|
||
(define (standard-module-derivation name source core dependencies)
|
||
"Return a derivation that builds with CORE, a Guix instance, the Scheme
|
||
modules in SOURCE and that depend on DEPENDENCIES, a list of lowerable
|
||
objects. The assumption is that SOURCE contains package modules to be added
|
||
to '%package-module-path'."
|
||
|
||
(let* ((metadata (read-channel-metadata-from-source source))
|
||
(directory (channel-metadata-directory metadata)))
|
||
|
||
(define build
|
||
;; This is code that we'll run in CORE, a Guix instance, with its own
|
||
;; modules and so on. That way, we make sure these modules are built for
|
||
;; the right Guile version, with the right dependencies, and that they get
|
||
;; to see the right (gnu packages …) modules.
|
||
(with-extensions dependencies
|
||
#~(begin
|
||
(use-modules (guix build compile)
|
||
(guix build utils)
|
||
(srfi srfi-26))
|
||
|
||
(define go
|
||
(string-append #$output "/lib/guile/" (effective-version)
|
||
"/site-ccache"))
|
||
(define scm
|
||
(string-append #$output "/share/guile/site/"
|
||
(effective-version)))
|
||
|
||
(let* ((subdir #$directory)
|
||
(source (string-append #$source subdir)))
|
||
(compile-files source go (find-files source "\\.scm$"))
|
||
(mkdir-p (dirname scm))
|
||
(symlink (string-append #$source subdir) scm))
|
||
|
||
scm)))
|
||
|
||
(gexp->derivation-in-inferior name build core)))
|
||
|
||
(define* (guile-for-source source #:optional (quirks %quirks))
|
||
"Return the Guile package to use when building SOURCE or #f if the default
|
||
'%guile-for-build' should be good enough."
|
||
(let loop ((quirks quirks))
|
||
(match quirks
|
||
(()
|
||
#f)
|
||
(((predicate . guile) rest ...)
|
||
(if (predicate source) (guile) (loop rest))))))
|
||
|
||
(define (call-with-guile guile thunk)
|
||
(lambda (store)
|
||
(values (parameterize ((%guile-for-build
|
||
(if guile
|
||
(package-derivation store guile)
|
||
(%guile-for-build))))
|
||
(run-with-store store (thunk)))
|
||
store)))
|
||
|
||
(define-syntax-rule (with-guile guile exp ...)
|
||
"Set GUILE as the '%guile-for-build' parameter for the dynamic extent of
|
||
EXP, a series of monadic expressions."
|
||
(call-with-guile guile (lambda ()
|
||
(mbegin %store-monad exp ...))))
|
||
|
||
(define (with-trivial-build-handler mvalue)
|
||
"Run MVALUE, a monadic value, with a \"trivial\" build handler installed
|
||
that unconditionally resumes the continuation."
|
||
(lambda (store)
|
||
(with-build-handler (lambda (continue . _)
|
||
(continue #t))
|
||
(values (run-with-store store mvalue)
|
||
store))))
|
||
|
||
(define* (build-from-source name source
|
||
#:key core verbose? commit
|
||
(dependencies '()))
|
||
"Return a derivation to build Guix from SOURCE, using the self-build script
|
||
contained therein; use COMMIT as the version string. When CORE is true, build
|
||
package modules under SOURCE using CORE, an instance of Guix."
|
||
;; Running the self-build script makes it easier to update the build
|
||
;; procedure: the self-build script of the Guix-to-be-installed contains the
|
||
;; right dependencies, build procedure, etc., which the Guix-in-use may not
|
||
;; be know.
|
||
(define script
|
||
(string-append source "/" %self-build-file))
|
||
|
||
(if (file-exists? script)
|
||
(let ((build (save-module-excursion
|
||
(lambda ()
|
||
;; Disable deprecation warnings; it's OK for SCRIPT to
|
||
;; use deprecated APIs and the user doesn't have to know
|
||
;; about it.
|
||
(parameterize ((guix-warning-port
|
||
(%make-void-port "w")))
|
||
(primitive-load script)))))
|
||
(guile (guile-for-source source)))
|
||
;; BUILD must be a monadic procedure of at least one argument: the
|
||
;; source tree.
|
||
;;
|
||
;; Note: BUILD can return #f if it does not support %PULL-VERSION. In
|
||
;; the future we'll fall back to a previous version of the protocol
|
||
;; when that happens.
|
||
(with-guile guile
|
||
;; BUILD is usually quite costly. Install a "trivial" build handler
|
||
;; so we don't bounce an outer build-accumulator handler that could
|
||
;; cause us to redo half of the BUILD computation several times just
|
||
;; to realize it gives the same result.
|
||
(with-trivial-build-handler
|
||
(build source #:verbose? verbose? #:version commit
|
||
#:pull-version %pull-version))))
|
||
|
||
;; Build a set of modules that extend Guix using the standard method.
|
||
(standard-module-derivation name source core dependencies)))
|
||
|
||
(define* (build-channel-instance instance
|
||
#:optional core (dependencies '()))
|
||
"Return, as a monadic value, the derivation for INSTANCE, a channel
|
||
instance. DEPENDENCIES is a list of extensions providing Guile modules that
|
||
INSTANCE depends on."
|
||
(build-from-source (symbol->string
|
||
(channel-name (channel-instance-channel instance)))
|
||
(channel-instance-checkout instance)
|
||
#:commit (channel-instance-commit instance)
|
||
#:core core
|
||
#:dependencies dependencies))
|
||
|
||
(define (resolve-dependencies instances)
|
||
"Return a procedure that, given one of the elements of INSTANCES, returns
|
||
list of instances it depends on."
|
||
(define channel-instance-name
|
||
(compose channel-name channel-instance-channel))
|
||
|
||
(define table ;map a name to an instance
|
||
(fold (lambda (instance table)
|
||
(vhash-consq (channel-instance-name instance)
|
||
instance table))
|
||
vlist-null
|
||
instances))
|
||
|
||
(define edges
|
||
(fold (lambda (instance edges)
|
||
(fold (lambda (channel edges)
|
||
(let ((name (channel-name channel)))
|
||
(match (vhash-assq name table)
|
||
((_ . target)
|
||
(vhash-consq instance target edges)))))
|
||
edges
|
||
(channel-instance-dependencies instance)))
|
||
vlist-null
|
||
instances))
|
||
|
||
(lambda (instance)
|
||
(vhash-foldq* cons '() instance edges)))
|
||
|
||
(define (channel-instance-derivations instances)
|
||
"Return the list of derivations to build INSTANCES, in the same order as
|
||
INSTANCES."
|
||
(define core-instance
|
||
;; The 'guix' channel is treated specially: it's an implicit dependency of
|
||
;; all the other channels.
|
||
(find (lambda (instance)
|
||
(guix-channel? (channel-instance-channel instance)))
|
||
instances))
|
||
|
||
(define edges
|
||
(resolve-dependencies instances))
|
||
|
||
(define (instance->derivation instance)
|
||
(mlet %store-monad ((system (current-system)))
|
||
(mcached (if (eq? instance core-instance)
|
||
(build-channel-instance instance)
|
||
(mlet %store-monad ((core (instance->derivation core-instance))
|
||
(deps (mapm %store-monad instance->derivation
|
||
(edges instance))))
|
||
(build-channel-instance instance core deps)))
|
||
instance
|
||
system)))
|
||
|
||
(unless core-instance
|
||
(let ((loc (and=> (any (compose channel-location channel-instance-channel)
|
||
instances)
|
||
source-properties->location)))
|
||
(raise (apply make-compound-condition
|
||
(condition
|
||
(&message (message "'guix' channel is lacking")))
|
||
(condition
|
||
(&fix-hint (hint (G_ "Make sure your list of channels
|
||
contains one channel named @code{guix} providing the core of Guix."))))
|
||
(if loc
|
||
(list (condition (&error-location (location loc))))
|
||
'())))))
|
||
|
||
(mapm %store-monad instance->derivation instances))
|
||
|
||
(define (whole-package-for-legacy name modules)
|
||
"Return a full-blown Guix package for MODULES, a derivation that builds Guix
|
||
modules in the old ~/.config/guix/latest style."
|
||
(define packages
|
||
(resolve-interface '(gnu packages guile)))
|
||
|
||
(define modules+compiled
|
||
;; Since MODULES contains both .scm and .go files at its root, re-bundle
|
||
;; it so that it has share/guile/site and lib/guile, which is what
|
||
;; 'whole-package' expects.
|
||
(computed-file (derivation-name modules)
|
||
(with-imported-modules '((guix build utils))
|
||
#~(begin
|
||
(use-modules (guix build utils))
|
||
|
||
(define version
|
||
(effective-version))
|
||
(define share
|
||
(string-append #$output "/share/guile/site"))
|
||
(define lib
|
||
(string-append #$output "/lib/guile/" version))
|
||
|
||
(mkdir-p share) (mkdir-p lib)
|
||
(symlink #$modules (string-append share "/" version))
|
||
(symlink #$modules (string-append lib "/site-ccache"))))))
|
||
|
||
(letrec-syntax ((list (syntax-rules (->)
|
||
((_)
|
||
'())
|
||
((_ (module -> variable) rest ...)
|
||
(cons (module-ref (resolve-interface
|
||
'(gnu packages module))
|
||
'variable)
|
||
(list rest ...)))
|
||
((_ variable rest ...)
|
||
(cons (module-ref packages 'variable)
|
||
(list rest ...))))))
|
||
(whole-package name modules+compiled
|
||
|
||
;; In the "old style", %SELF-BUILD-FILE would simply return a
|
||
;; derivation that builds modules. We have to infer what the
|
||
;; dependencies of these modules were.
|
||
(list guile-json-3 guile-git guile-bytestructures
|
||
(ssh -> guile-ssh) (tls -> gnutls)))))
|
||
|
||
(define (old-style-guix? drv)
|
||
"Return true if DRV corresponds to a ~/.config/guix/latest style of
|
||
derivation."
|
||
;; Here we rely on a gross historical fact: that derivations produced by the
|
||
;; "old style" (before commit 8a0d9bc8a3f153159d9e239a151c0fa98f1e12d8,
|
||
;; dated May 30, 2018) did not depend on "guix-command.drv".
|
||
(not (find (lambda (input)
|
||
(string=? "guix-command"
|
||
(derivation-name
|
||
(derivation-input-derivation input))))
|
||
(derivation-inputs drv))))
|
||
|
||
(define (channel-instances->manifest instances)
|
||
"Return a profile manifest with entries for all of INSTANCES, a list of
|
||
channel instances."
|
||
(define (instance->entry instance drv)
|
||
(let* ((commit (channel-instance-commit instance))
|
||
(channel (channel-instance-channel instance))
|
||
(intro (channel-introduction channel)))
|
||
(manifest-entry
|
||
(name (symbol->string (channel-name channel)))
|
||
(version (string-take commit 7))
|
||
(item (if (guix-channel? channel)
|
||
(if (old-style-guix? drv)
|
||
(whole-package-for-legacy (string-append name "-" version)
|
||
drv)
|
||
drv)
|
||
drv))
|
||
(properties
|
||
`((source (repository
|
||
(version 0)
|
||
(url ,(channel-url channel))
|
||
(branch ,(channel-branch channel))
|
||
(commit ,commit)
|
||
,@(if intro
|
||
`((introduction
|
||
(channel-introduction
|
||
(version 0)
|
||
(commit
|
||
,(channel-introduction-first-signed-commit
|
||
intro))
|
||
(signer
|
||
,(openpgp-format-fingerprint
|
||
(channel-introduction-first-commit-signer
|
||
intro))))))
|
||
'()))))))))
|
||
|
||
(mlet* %store-monad ((derivations (channel-instance-derivations instances))
|
||
(entries -> (map instance->entry instances derivations)))
|
||
(return (manifest entries))))
|
||
|
||
(define (package-cache-file manifest)
|
||
"Build a package cache file for the instance in MANIFEST. This is meant to
|
||
be used as a profile hook."
|
||
(let ((profile (profile (content manifest) (hooks '()))))
|
||
(define build
|
||
#~(begin
|
||
(use-modules (gnu packages))
|
||
|
||
(if (defined? 'generate-package-cache)
|
||
(begin
|
||
;; Delegate package cache generation to the inferior.
|
||
(format (current-error-port)
|
||
"Generating package cache for '~a'...~%"
|
||
#$profile)
|
||
(generate-package-cache #$output))
|
||
(mkdir #$output))))
|
||
|
||
(gexp->derivation-in-inferior "guix-package-cache" build
|
||
profile
|
||
|
||
;; If the Guix in PROFILE is too old and
|
||
;; lacks 'guix repl', don't build the cache
|
||
;; instead of failing.
|
||
#:silent-failure? #t
|
||
|
||
#:properties '((type . profile-hook)
|
||
(hook . package-cache))
|
||
#:local-build? #t)))
|
||
|
||
(define %channel-profile-hooks
|
||
;; The default channel profile hooks.
|
||
(cons package-cache-file %default-profile-hooks))
|
||
|
||
(define (channel-instances->derivation instances)
|
||
"Return the derivation of the profile containing INSTANCES, a list of
|
||
channel instances."
|
||
(mlet %store-monad ((manifest (channel-instances->manifest instances)))
|
||
(profile-derivation manifest
|
||
#:hooks %channel-profile-hooks)))
|
||
|
||
(define latest-channel-instances*
|
||
(store-lift latest-channel-instances))
|
||
|
||
(define* (latest-channel-derivation #:optional (channels %default-channels)
|
||
#:key
|
||
(current-channels '())
|
||
(validate-pull
|
||
ensure-forward-channel-update))
|
||
"Return as a monadic value the derivation that builds the profile for the
|
||
latest instances of CHANNELS. CURRENT-CHANNELS and VALIDATE-PULL are passed
|
||
to 'latest-channel-instances'."
|
||
(mlet %store-monad ((instances
|
||
(latest-channel-instances* channels
|
||
#:current-channels
|
||
current-channels
|
||
#:validate-pull
|
||
validate-pull)))
|
||
(channel-instances->derivation instances)))
|
||
|
||
(define (profile-channels profile)
|
||
"Return the list of channels corresponding to entries in PROFILE. If
|
||
PROFILE is not a profile created by 'guix pull', return the empty list."
|
||
(filter-map (lambda (entry)
|
||
(match (assq 'source (manifest-entry-properties entry))
|
||
(('source ('repository ('version 0)
|
||
('url url)
|
||
('branch branch)
|
||
('commit commit)
|
||
rest ...))
|
||
(channel (name (string->symbol
|
||
(manifest-entry-name entry)))
|
||
(url url)
|
||
(commit commit)
|
||
(introduction
|
||
(match (assq 'introduction rest)
|
||
(#f #f)
|
||
(('introduction intro)
|
||
(sexp->channel-introduction intro))))))
|
||
|
||
;; No channel information for this manifest entry.
|
||
;; XXX: Pre-0.15.0 Guix did not provide that information,
|
||
;; but there's not much we can do in that case.
|
||
(_ #f)))
|
||
|
||
;; Show most recently installed packages last.
|
||
(reverse
|
||
(manifest-entries (profile-manifest profile)))))
|
||
|
||
|
||
;;;
|
||
;;; News.
|
||
;;;
|
||
|
||
;; Channel news.
|
||
(define-record-type <channel-news>
|
||
(channel-news entries)
|
||
channel-news?
|
||
(entries channel-news-entries)) ;list of <channel-news-entry>
|
||
|
||
;; News entry, associated with a specific commit of the channel.
|
||
(define-record-type <channel-news-entry>
|
||
(channel-news-entry commit tag title body)
|
||
channel-news-entry?
|
||
(commit channel-news-entry-commit) ;hex string | #f
|
||
(tag channel-news-entry-tag) ;#f | string
|
||
(title channel-news-entry-title) ;list of language tag/string pairs
|
||
(body channel-news-entry-body)) ;list of language tag/string pairs
|
||
|
||
(define (sexp->channel-news-entry entry)
|
||
"Return the <channel-news-entry> record corresponding to ENTRY, an sexp."
|
||
(define (pair language message)
|
||
(cons (symbol->string language) message))
|
||
|
||
(match entry
|
||
(('entry ((and (or 'commit 'tag) type) commit-or-tag)
|
||
('title ((? symbol? title-tags) (? string? titles)) ...)
|
||
('body ((? symbol? body-tags) (? string? bodies)) ...)
|
||
_ ...)
|
||
(channel-news-entry (and (eq? type 'commit) commit-or-tag)
|
||
(and (eq? type 'tag) commit-or-tag)
|
||
(map pair title-tags titles)
|
||
(map pair body-tags bodies)))
|
||
(_
|
||
(raise (condition
|
||
(&message (message "invalid channel news entry"))
|
||
(&error-location
|
||
(location (source-properties->location
|
||
(source-properties entry)))))))))
|
||
|
||
(define (read-channel-news port)
|
||
"Read a channel news feed from PORT and return it as a <channel-news>
|
||
record."
|
||
(match (false-if-exception (read port))
|
||
(('channel-news ('version 0) entries ...)
|
||
(channel-news (map sexp->channel-news-entry entries)))
|
||
(('channel-news ('version version) _ ...)
|
||
;; This is an unsupported version from the future. There's nothing wrong
|
||
;; with that (the user may simply need to upgrade the 'guix' channel to
|
||
;; be able to read it), so silently ignore it.
|
||
(channel-news '()))
|
||
(#f
|
||
(raise (condition
|
||
(&message (message "syntactically invalid channel news file")))))
|
||
(sexp
|
||
(raise (condition
|
||
(&message (message "invalid channel news file"))
|
||
(&error-location
|
||
(location (source-properties->location
|
||
(source-properties sexp)))))))))
|
||
|
||
(define (resolve-channel-news-entry-tag repository entry)
|
||
"If ENTRY has its 'commit' field set, return ENTRY. Otherwise, lookup
|
||
ENTRY's 'tag' in REPOSITORY and return ENTRY with its 'commit' field set to
|
||
the field its 'tag' refers to. A 'git-error' exception is raised if the tag
|
||
cannot be found."
|
||
(if (channel-news-entry-commit entry)
|
||
entry
|
||
(let* ((tag (channel-news-entry-tag entry))
|
||
(reference (string-append "refs/tags/" tag))
|
||
(oid (reference-name->oid repository reference)))
|
||
(channel-news-entry (oid->string oid) tag
|
||
(channel-news-entry-title entry)
|
||
(channel-news-entry-body entry)))))
|
||
|
||
(define* (channel-news-for-commit channel new #:optional old)
|
||
"Return a list of <channel-news-entry> for CHANNEL between commits OLD and
|
||
NEW. When OLD is omitted or is #f, return all the news entries of CHANNEL."
|
||
(catch 'git-error
|
||
(lambda ()
|
||
(let* ((checkout (update-cached-checkout (channel-url channel)
|
||
#:ref `(commit . ,new)))
|
||
(metadata (read-channel-metadata-from-source checkout))
|
||
(news-file (channel-metadata-news-file metadata))
|
||
(news-file (and news-file
|
||
(string-append checkout "/" news-file))))
|
||
(if (and news-file (file-exists? news-file))
|
||
(with-repository checkout repository
|
||
(let* ((news (call-with-input-file news-file
|
||
read-channel-news))
|
||
(entries (map (lambda (entry)
|
||
(resolve-channel-news-entry-tag repository
|
||
entry))
|
||
(channel-news-entries news))))
|
||
(if old
|
||
(let* ((new (commit-lookup repository (string->oid new)))
|
||
(old (commit-lookup repository (string->oid old)))
|
||
(commits (list->set
|
||
(map (compose oid->string commit-id)
|
||
(commit-difference new old)))))
|
||
(filter (lambda (entry)
|
||
(set-contains? commits
|
||
(channel-news-entry-commit entry)))
|
||
entries))
|
||
entries)))
|
||
'())))
|
||
(lambda (key error . rest)
|
||
;; If commit NEW or commit OLD cannot be found, then something must be
|
||
;; wrong (for example, the history of CHANNEL was rewritten and these
|
||
;; commits no longer exist upstream), so quietly return the empty list.
|
||
(if (= GIT_ENOTFOUND (git-error-code error))
|
||
'()
|
||
(apply throw key error rest)))))
|
||
|
||
;;; Local Variables:
|
||
;;; eval: (put 'with-guile 'scheme-indent-function 1)
|
||
;;; End:
|