summaryrefslogtreecommitdiff
path: root/issues/binderlite/finds-unknown-package-in-manifest.gmi
blob: cf1d25b9c1bd91f4cf1c55416cf814016ad225a0 (about) (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# When binderlite finds an unkown package in a guix manifest

What do we do if binderlite finds a package that is not in upstream guix in a 
manifest?

This is what it currently does:

```
guix environment: error: guile-pipe: unknown package
guix environment: error: failed to load '/tmp/notebooks/jgarte/guile-notebook-genenetwork-api/guix.scm':
gnu/packages.scm:543:4: In procedure specification->package+output:
Throw to key `quit' with args `(1)'.
```
Should we send the user to a 404 Package not Found page and tell them to package 
it and submit a patch to upstream before using it in a binderlite container?

=> https://github.com/jgarte/guile-notebook-genenetwork-api/blob/master/guix.scm manifest attempted from

=> https://github.com/joshwalters/guile-pipe the unkown package

## Open questions/Ideas

Should binderlite support building containers with packages from third party 
Guix Channels or only packages trusted from upstream?

If yes, how should binderlite users specify/request a channel to subscribe to?

Or, should channels be managed by the sysadmin only for security reasons?

It's probably a security risk since a guix channel can pull in arbitrary 
packaged code that might not be audited or fully trusted.

## Tags

* type: bug
* assigned: jgart
* status: unclear
* keywords: binderlite, notebooks
* priority: high