New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
lmstudio: 0.2.22 -> 0.2.23 #310914
base: master
Are you sure you want to change the base?
lmstudio: 0.2.22 -> 0.2.23 #310914
Conversation
Hi everyone, |
Hi! Thanks for your first contribution. Technically, it looks good. |
Hi @drupol thanks for the quick reply -- and for maintaining this package! I believe I failed to provide a better - more concise - context on why I opened this PR:
|
A hash mismatch? Now that is very odd. That means upstream is now delivering a different binary compared to before which is generally a pretty bad sign — if they can just change it willy-nilly, it potentially opens up downstream users for supply chain attacks. Bit hyperbolical, but it could happen. |
But isn't that always the case if it's not hosted on github. They can just change what binary is behind that link (and even if it is open source the maintainers would have to read every commit to verify that there is no malware which just isn't feasible.) Isn't that the reason we have this system to verify the hash before installing in the first place? Even then it's possible to change the binary without us knowing with a hash collision attack. To completely alleviate this issue we would have to host every binary on our own, which also isn't feasible without major server costs. I think this way of doing things is just the tradeoff we have landed on. |
Yeah, that is indeed the point, and we're not even allowed to host these binaries as they are unfree and not redistributable. However, it is quite worrying that they would just swap out the binary like that, which makes this source not reliable enough for our purposes. Stuff packaged in Nixpkgs has to build reliably and correctly, and that having a reliable source is a key part of that. |
I would really like to keep the package available to all Nixpkgs users and would like to keep it up2date. However, I'm absolutely with @pluiedev. If LMStudio wont supply us with a reliable source, I'm not sure, if we should keep it in Nixpkgs altogether. I would of course be absolutely fine with it being in Nixpkgs, as long as I or someone feels responsible for updating the package ASAP. But it's not really reliable at the time and if there was no maintainer available for a while, we would not just lag behind a couple versions, but would be stuck with a broken installation process (like right now), which isn't feasible. Feel free to thumb up my issue at lmstudio or supply additional information and opinions to the topic. |
Looks like upstream has pledged to keep the download links stable for now. Let's just fix the link and the hash and get on with it now, then? |
@cig0 will you update your remote branch to point to the most recent version? |
@eeedean @drupol Heads up: LM Studio devs updated the GNU/Linux filename package, adding At first, I thought about adding a variable to handle the new string, but I don't feel it'll change for a while since 20.04 is an LTS release. I thought about letting you know before proceeding with the change —you guys are the package maintainers- but I preferred agility over bureaucracy here, as this is a minimal change. Let me know what you think and if you prefer moving the OS bit to its own variable. Thanks! |
I have no strong opinion on this. I don't really use LMStudio anymore. Can I ask you if you could remove my name from the maintainers list? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please adjust the commits by squashing them, where needed. Also take a look at the conventions for commit messages in CONTRIBUTING.md as well as README.md of pkgs.
The Commits should eventually look about like that:
maintainers: add cig0
or »your handle«lmstudio: remove drupol from maintainers
lmstudio: add cig0 to maintainers
lmstudio: 0.2.22 -> 0.2.23
If you wouldn't want to be listed as maintainer, you can and should of course leave those commits out.
Thanks for your contribution!
Edit: I have no strong opinion about the -Ubuntu-20.04
, too. Leave it, as you like 😺.
lmstudio: 0.2.22 -> 0.2.23
@eeedean, I addressed the issues you pointed out (thanks!); let me know what you think. |
It looks like you somehow pulled in commits, that don't belong to your branch. Also the changes are incomplete and are not correctly distributed over the commits: maintainers: add cig0 should only add your handle to maintainers/maintainer-list.nix. Be aware, that this list must be ordered alphabetically, or one of the checks will fail. Best case would be to also add your own maintainer handle in a separate commit named like "lmstudio: adding cig0 to maintainers". Also have a look at the failing check. If you want to figure it out yourself first, you can have a look at the failing test. Otherwise, I got the reason written in the spoiler here 😸You call./darwinwithout the revision variable then callPackage ./darwin.nix { inherit pname version meta; }but you should: then callPackage ./darwin.nix { inherit pname version »revision« meta; } |
Description of changes
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.