bug#39263: [PATCH 2/2] gnu: godot: Unbundle some dependencies.

[Christopher Baines]

Timotej Lazar <address@hidden> writes:

> Thanks for the feedback! I am sending updated patches after this reply.
>
> Christopher Baines <address@hidden> [2020-01-25 09:16:08+0000]:
>> I did have a look if the package builds with the mbedtls-apache
>> package, rather than using the included source code, and it looks to.
>> Although I'm aware that [1] says there are modifications.
>
> The two Godot patches for mbedtls don’t seem to be relevant to Guix, so
> I replaced the bundled copy with the mbedtls-apache package. I don’t
> have a use case to test this, but the minimal example from the
> HTTPRequest tutorial seems to work OK with an HTTPS URI.

Wonderful :)

> Christopher Baines <address@hidden> [2020-01-25 09:18:33+0000]:
>> One thought I had here is that it would be more rigorous to have a list
>> of directories that are kept, and anything not on the list is deleted.
>> That way it's harder for new thirdparty dependencies to sneak in.
>
> Makes sense. As you suggest, I flipped the logic for removing thirdparty
> files: whitelist preserved files and remove everything else. The snippet
> can only preserve direct children of the thirdparty/ directory, which
> keeps it simple but perhaps not flexible enough in the long run.

Great, this looks really useful.

> Do we generally prefer whitelisting bundled files? Most packages I have
> seen (and written) do the opposite and list the files to remove. Maybe
> we could add a guideline somewhere? Or point me to the one I missed. :)

I don't know if it's written down somewhere, all I can say is it
occurred to me when looking at the package definition.

I've pushed the 3 latest patches you sent to master, so they're included
in 18f8e935e85a99d5c284c0a6b719351a402ada21.

Thanks,

Chris

signature.asc
Description: PGP signature