Hi folks! I’ve created Guix packages for
summon-conjur and I’m ready to submit them upstream. But before I do, I wanted to give the community an opportunity to review the packages and offer any criticism or suggestions for improvement first.
Once these packages are available upstream, a Guix user on any Linux distro will be able to install both tools by typing
guix install summon summon-conjur. Or, they can create a nice environment for hacking on them, with all their build dependencies downloaded & ready to go, by typing
guix environment summon summon-conjur.
The package definitions are here: https://github.com/ryanprior/guix-packages/blob/master/testing/summon.scm
You’ll find definitions for:
- summon & summon-conjur
- other dependencies that weren’t included in Guix yet, so I added them as part of the same effort
Guix runs the tests provided with the packages as part of the build process and fails the build when the tests fail, so users can feel fairly certain they are getting a result that works properly. I’ve disabled the tests for
conjur-api-go because they appear to require a running Conjur server, which makes sense for API tests. But, to facilitate deterministic and reproducible builds, Guix sandboxes the build and test environments so they don’t have any network connectivity. All the rest of the tests are run and pass.
To demonstrate this for yourself, follow these steps:
- install Guix as per these instructions
guix pullto pull the latest version of the dependencies
git clone https://github.com/ryanprior/guix-packages.git
guix build -L./guix-packages summon summon-conjur
guix environment -L./guix-packages --ad-hoc summon summon-conjur(this starts a new subshell)
summon -h; summon-conjur -h
Part of the packaging process is writing useful descriptions to help people find them. Here are the ones I wrote, taking from readmes and homepages where I could:
|synopsis||Fetches secrets and makes them available to a process||Fetches secrets from a Conjur service|
|description||Summon fetches secrets using a provider program and a configuration file, then launches a subprocess with access to those secrets via its environment or a memory-mapped temporary file. When the subprocess exits, it removes the secrets.||The summon-conjur utility fetches a secret from Conjur, printing it to stdout.|
Guix doesn’t have designated package maintainers, so any community member can submit updates to packages. To make it easier to find updateable packages, Guix provides the
refresh command which scans for updates.
To find out whether
summon-conjur packages are up to date, I can run:
ryan@swallowtail$ guix refresh summon summon-conjur go-github.com-cyberark-conjur-api gnu/packages/golang.scm:5757:13: 0.6.0 is already the latest version of go-github.com-cyberark-conjur-api gnu/packages/cybersecurity.scm:54:13: 0.5.3 is already the latest version of summon-conjur gnu/packages/cybersecurity.scm:90:13: 0.8.2 is already the latest version of summon
If you want to update the package version, you follow these steps:
- clone the Guix repository
guix refreshas above, which prints the file names and line numbers of the package definitions in Guix.
- edit the package definition’s “version” string to reflect the new updated version number
- clone the package repo and check-out the tag corresponding to the new version, eg.
git clone -b v0.8.2 https://github.com/cyberark/summon.git /tmp/summon
- hash the repo, eg
guix hash -rx /tmp/summon
- replace the hash string in the package definition with the new hash
- commit your changes
git format-patch masterto create a patch file for your update
- send the patch file to email@example.com
Of course, I’ll be around to help out with this process, so you can always ping me if you’re just putting a release out and I can handle the package update or walk somebody through the process.
Post your questions and feedback!
Please share your questions, ideas, or other feedback with me so I can make sure we have great high-quality packages in Guix. Thank you!