From 216df4326b42db5f940647b8843711a8ed244536 Mon Sep 17 00:00:00 2001 From: jgart Date: Fri, 1 Oct 2021 03:49:59 -0400 Subject: What to do when binderlite finds an unknown package in a manifest Unknown means not coming from upstream but from a channel. Should we support subscription to channels for binderlite containers? --- .../finds-unknown-package-in-manifest.gmi | 33 ++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 issues/binderlite/finds-unknown-package-in-manifest.gmi diff --git a/issues/binderlite/finds-unknown-package-in-manifest.gmi b/issues/binderlite/finds-unknown-package-in-manifest.gmi new file mode 100644 index 0000000..1bcba39 --- /dev/null +++ b/issues/binderlite/finds-unknown-package-in-manifest.gmi @@ -0,0 +1,33 @@ +# When binderlite finds an unkown package in a guix manifest + +What do we do if binderlite finds a package that is not in upstream guix in a +manifest? + +This is what it currently does: + +``` +guix environment: error: guile-pipe: unknown package +guix environment: error: failed to load '/tmp/notebooks/jgarte/guile-notebook-genenetwork-api/guix.scm': +gnu/packages.scm:543:4: In procedure specification->package+output: +Throw to key `quit' with args `(1)'. +``` +Should we send the user to a 404 Package not Found page and tell them to package +it and submit a patch to upstream before using it in a binderlite container? + +=> https://github.com/jgarte/guile-notebook-genenetwork-api/blob/master/guix.scm manifest attempted from + +=> https://github.com/joshwalters/guile-pipe the unkown package + +## Open questions/Ideas + +Should binderlite support building containers with packages from third party +Guix Channels or only packages trusted from upstream? + +If yes, how should binderlite users specify/request a channel to subscribe to? + +Or, should channels be managed by the sysadmin only for security reasons? + +It's probably a security risk since a guix channel can pull in arbitrary +packaged code that might not be audited or fully trusted. + +* bug -- cgit v1.2.3