Freddy Rietdijk <freddyrietd...@fridh.nl> writes: > Hi, > > At several places in Nixpkgs we use auto-generated data, mostly for the > larger package sets like Haskell. Sometimes we also use auto-generated sets > for applications that may need different versions than are offered in the > main package sets. In the past months several issues/PR's have been opened > to add rather large Python applications to Nixpkgs, generated using > `pypi2nix`. > > Using such tool to generate the expressions has some very big advantages. > However, there's also a disadvantage. The expressions shouldn't only be > updated when there's a new release of the application, but also whenever > there's security updates in any of its generated dependencies, which the > application maintainer now has to keep track of. Therefore, I find it quite > a risk to have separate package sets. At the same time, we'll also likely > run behind in the main package sets every once in a while.
Regarding the security updates, if we are able to know which versions of libraries are used in the `pythonPackage` set and in all 'application pythonPackage sets', in case of a CVE on a particular package version, we could know which applications are impacted. We then have to fix them or mark them as broken. I don't really know how it is hard to get all python module versions used by applications and if this would be feasable. > What do you think of this issue? Any suggestions how we can improve this? > Maybe we could have a server/bot that runs update scripts and opens a PR > whenever there's an actual diff? > > Freddy > _______________________________________________ > nix-dev mailing list > nix-dev@lists.science.uu.nl > https://mailman.science.uu.nl/mailman/listinfo/nix-dev _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl https://mailman.science.uu.nl/mailman/listinfo/nix-dev
