New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mailpile: 0.4.1 -> 0.5.2 #23058
mailpile: 0.4.1 -> 0.5.2 #23058
Conversation
@spinus, thanks for your PR! By analyzing the history of the files in this pull request, we identified @domenkozar, @matejc and @dezgeg to be potential reviewers. |
I a problem with upgrading this package, I can't build it properly. There is no issues when I run "python setup.py bdist_wheel" when I run this manually outside of nixpkgs tree. Maybe someone knows what the issue could be and what is potential solution? |
@@ -2,12 +2,12 @@ | |||
|
|||
python2Packages.buildPythonApplication rec { | |||
name = "mailpile-${version}"; | |||
version = "0.4.1"; | |||
version = "0.5.2"; | |||
|
|||
src = fetchgit { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should be upgraded to fetchFromGithub
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The repo uses git submodules which aren't included in the Github tarball.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm, I moved to fetchFromGitHub but it still building, I'll try to verify later if it's working
Build is fixed now, but the released pre-release is still to old. At least gpg integration did not work for me. |
@Mic92 thank you for fixing it, I'll try to work on it. |
rev = "refs/tags/${version}"; | ||
sha256 = "118b5zwfwmzj38p0mkj3r1s09jxg8x38y0a42b21imzpmli5vpb5"; | ||
sha256 = "1d2b776x9134sv67pylfkvf1dd4vs5pvgrngpmshrsjgsib13dx5"; | ||
}; | ||
|
||
patchPhase = '' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think its better to have postPatch
here. That way one can still pass in patches.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
it looks like this packages was not released for a long time, I just used master for now. Any ideas if we should keep latest officially released one or stick with master? (maybe we should have 0.5.2 and master as unstable package) |
Yes. |
@spinus if this is required to get gpg working, I am ok with that. Also mailpile is still in early development. |
I wrote to mailpile developers to ask about little clarification on that, here is what I've got:
So the question is, should we remove mailpile from nixos as it's not ready yet, or we want to keep it anyway (in this case I assume we should clearly communicate that this software is not ready to be used "in production"). What do you think people? |
Simple, remove it, the maintainer is very clear about it... |
Can we get a list of these known vulnerabilities, then:
|
I don't have a curated list of vulnerabilities; I have a bug tracker full of open and closed issues, some of which almost certainly have a security impact. |
Basically, you've now demonstrated exactly why I'm asking this not be packaged. We don't have the stability, processes or resources to support that. It should never have been packaged in the first place. The only "consolation" is that those old releases were so buggy that I'd be amazed if anyone ever managed to use them for anything of import. |
I've marked it as broken in our stable distribution: 8605d31 as we can't remove it from that. I marked it as insecure on next-stable (17.03, 85b47bb) and unstable (6111f6a) just in case the removal doesn't happen. Removing it is a bit tricky due to the service, but would happily merge a PR doing that. |
|
||
python2Packages.buildPythonApplication rec { | ||
name = "mailpile-${version}"; | ||
version = "0.4.1"; | ||
version = "0.5.x-git-master-20170301"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pname = "mailpile";
version = "unstable-2017-03-01";
name = "${pname}-${version}";
I've mentioned one more improvement in case one do wants to get it in. Merging this upgrade I don't mind now that it is marked as insecure. |
ok, as mailpile is marked as insecure and there is advice not to releases for anything below 1.0 I assume we can close that |
Adaptation of NixOS#23058 by @spinus to 1.0.0rc1. See NixOS#23058 and NixOS#28111 for discussion. This patch keeps the warnings. But I think it is useful to have a sanely working version in nixpkgs, even if it is still considered insecure, just to follow the upstream development by actually running it instead of reading the log.
Motivation for this change
New version of mailpile is out, current version is waaaay to old.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)