Fetching a channel set over HTTP

[Ludovic Courtès]

Hello Guix!

My colleague Emmanuel Agullo came up with an interesting use case and
suggestion that we got around to play with.  If you paste the following
snippet as ~/.config/guix/channels.scm:

--8<---------------cut here---------------start------------->8---
(use-modules (guix http-client)
             (json)
             (guix channels))

(define-syntax alist-let
  (syntax-rules ()
    ((_ alist (variable rest ...) body ...)
     (let ((variable (assoc-ref alist (symbol->string 'variable))))
       (alist-let alist (rest ...) body ...)))
    ((_ alist () body ...)
     (begin body ...))))

(define (alist->channel-introduction alist)
  (alist-let alist (signer commit)
             (make-channel-introduction commit
                                        (openpgp-fingerprint signer))))

(define (alist->channel alist)
  (alist-let alist (name url branch commit introduction)
             (channel (name (string->symbol name))
                      (url url)
                      (branch branch)
                      (commit commit)
                      (introduction
                       (and=> introduction alist->channel-introduction)))))

(pk 'channels
 (map alist->channel
      (vector->list
       (json->scm
        (http-fetch/cached
         "https://people.bordeaux.inria.fr/lcourtes/tmp/channels.json";)))))
--8<---------------cut here---------------end--------------->8---

… then anytime you run ‘guix pull’, you’ll actually get the channels I
published in that ‘channels.json’ file (generated by
‘guix describe -f json’).

Since it’s JSON, you’re not executing arbitrary code; the authentication
and downgrade prevention mechanisms are in effect too, although the file
could direct you to unauthenticated third-party channels (authentication
is always required for the ‘guix’ channel itself) and there’s no
downgrade prevention if you’re using ‘time-machine’ rather than ‘pull’.

The use cases are:

  1. Within a team, everyone would default to downloading an agreed-upon
     channels file.  Someone in the team is responsible for keeping that
     file up-to-date etc.

  2. One could define a “stable distro” by publishing such a file:
     they’d pin channels to specific commits and change those commits
     only when the packages they care about have been tested.

  3. As someone distributing software, you could publish such a file and
     provide simple instructions to deploy the software.

  4. Cuirass, qa.guix, etc. could publish a channels file for each
     issue, branch, or jobset so that users can trivially reproduce it.

What if we exposed the snippet above (1) as a ‘download-channels’
procedure, say, and (2) at the CLI level?

  guix time-machine -C https://example.org/channels.json -- …

Thoughts?

Ludo’.