Hi folks! I’ve created Guix packages for summon
and summon-conjur
and I’m ready to submit them upstream. But before I do, I wanted to give the community an opportunity to review the packages and offer any criticism or suggestions for improvement first.
Rationale
Once these packages are available upstream, a Guix user on any Linux distro will be able to install both tools by typing guix install summon summon-conjur
. Or, they can create a nice environment for hacking on them, with all their build dependencies downloaded & ready to go, by typing guix environment summon summon-conjur
.
Package definitions
The package definitions are here: https://github.com/ryanprior/guix-packages/blob/master/testing/summon.scm
You’ll find definitions for:
- summon & summon-conjur
- conjur-api-go
- other dependencies that weren’t included in Guix yet, so I added them as part of the same effort
Testing
Guix runs the tests provided with the packages as part of the build process and fails the build when the tests fail, so users can feel fairly certain they are getting a result that works properly. I’ve disabled the tests for conjur-api-go
because they appear to require a running Conjur server, which makes sense for API tests. But, to facilitate deterministic and reproducible builds, Guix sandboxes the build and test environments so they don’t have any network connectivity. All the rest of the tests are run and pass.
To demonstrate this for yourself, follow these steps:
- install Guix as per these instructions
-
guix pull
to pull the latest version of the dependencies git clone https://github.com/ryanprior/guix-packages.git
guix build -L./guix-packages summon summon-conjur
-
guix environment -L./guix-packages --ad-hoc summon summon-conjur
(this starts a new subshell) summon -h; summon-conjur -h
Package descriptions
Part of the packaging process is writing useful descriptions to help people find them. Here are the ones I wrote, taking from readmes and homepages where I could:
summon | summon-conjur | |
---|---|---|
synopsis | Fetches secrets and makes them available to a process | Fetches secrets from a Conjur service |
description | Summon fetches secrets using a provider program and a configuration file, then launches a subprocess with access to those secrets via its environment or a memory-mapped temporary file. When the subprocess exits, it removes the secrets. | The summon-conjur utility fetches a secret from Conjur, printing it to stdout. |
Updating packages
Guix doesn’t have designated package maintainers, so any community member can submit updates to packages. To make it easier to find updateable packages, Guix provides the refresh
command which scans for updates.
To find out whether summon
and summon-conjur
packages are up to date, I can run:
ryan@swallowtail$ guix refresh summon summon-conjur go-github.com-cyberark-conjur-api
gnu/packages/golang.scm:5757:13: 0.6.0 is already the latest version of go-github.com-cyberark-conjur-api
gnu/packages/cybersecurity.scm:54:13: 0.5.3 is already the latest version of summon-conjur
gnu/packages/cybersecurity.scm:90:13: 0.8.2 is already the latest version of summon
If you want to update the package version, you follow these steps:
- clone the Guix repository
- run
guix refresh
as above, which prints the file names and line numbers of the package definitions in Guix. - edit the package definition’s “version” string to reflect the new updated version number
- clone the package repo and check-out the tag corresponding to the new version, eg.
git clone -b v0.8.2 https://github.com/cyberark/summon.git /tmp/summon
- hash the repo, eg
guix hash -rx /tmp/summon
- replace the hash string in the package definition with the new hash
- commit your changes
- run
git format-patch master
to create a patch file for your update - send the patch file to guix-patches@gnu.org
Of course, I’ll be around to help out with this process, so you can always ping me if you’re just putting a release out and I can handle the package update or walk somebody through the process.
Post your questions and feedback!
Please share your questions, ideas, or other feedback with me so I can make sure we have great high-quality packages in Guix. Thank you!