Subscribe to notifications on a derivation #532

New issue

Open

opened 2025-05-02 14:13:47 +00:00 by fricklerhandwerk · 2 comments

fricklerhandwerk commented

2025-05-02 14:13:47 +00:00

(Migrated from github.com)

Depends on:

https://github.com/Nix-Security-WG/nix-security-tracker/issues/174

Acceptance criteria

Given I have a user account,
When I log in,
Then I can view a "Subscriptions" page which shows the channels and packages I'm subscribed to, and there's a way to subscribe to more packages.

Given some package I want to subscribe to for notifications (see #215),
When I subscribe to it,
Then it shows up in my list of subscribed packages, and new issues that relate to the versions of that package that are present in the channels I am tracking show up in my notifications.

Given I'm subscribed to some package,
When a vulnerability record is issued to one of its build or runtime dependencies,
Then it also shows up in my notifications, annotated as such.

Given some package that I'm subscribed to,
When I unsubscribe,
Then it disappears from my list of subscribed packages, and new notifications for issues that relate to it do not appear in my overview.

Given some package (on a channel) I want to subscribe to,
When I visit the corresponding subscription URL,
Then I can review and subscribe to that package.

Note

This is useful for a future integration with e.g. search.nixos.org

Given some packages I'm subscribed to and a channel for which I would like to receive notifications,
When I start "tracking" that channel,
Then I get notifications for versions of my subscribed packages in that channel.

Given a channel I am tracking,
When I stop tracking that channel,
Then I stop receiving notifications for package versions in that channel.

Implementation notes

When we are tracking channels, we only want to receive notifications for packages to which we are subscribed, not all packages in those channels.
In the future, allow "package groups", i.e. collections of packages per channel(s). This would just be the current interface repeated multiple times.
- We could develop a tool that scans a local project (e.g. your system configuration), creates a new subscription group and adds all known dependencies to that group, while selecting the correct channel for it too.
When a new release appears, what do we do?
- Automatically unsubscribe releases that are EOLd?
- If you're subscribed to stable, automatically subscribe to the new stable?
- Notify users that a new release appeared?

As a Nixpkgs user, I want to subscribe to only certain channels with regard to notifications on vulnerabilities that relate to packages I'm interested in, in order to filter for issues relevant for me. Depends on: - https://github.com/Nix-Security-WG/nix-security-tracker/issues/174 ## Acceptance criteria Given I have a user account, When I log in, Then I can view a "Subscriptions" page which shows the channels and packages I'm subscribed to, and there's a way to subscribe to more packages. Given some package I want to subscribe to for notifications (see #215), When I subscribe to it, Then it shows up in my list of subscribed packages, and new issues that relate to the versions of that package that are present in the channels I am tracking show up in my notifications. Given I'm subscribed to some package, When a vulnerability record is issued to one of its build or runtime dependencies, Then it also shows up in my notifications, annotated as such. Given some package that I'm subscribed to, When I unsubscribe, Then it disappears from my list of subscribed packages, and new notifications for issues that relate to it do not appear in my overview. Given some package (on a channel) I want to subscribe to, When I visit the corresponding subscription URL, Then I can review and subscribe to that package. > [!NOTE] > This is useful for a future integration with e.g. search.nixos.org Given some packages I'm subscribed to and a channel for which I would like to receive notifications, When I start "tracking" that channel, Then I get notifications for versions of my subscribed packages in that channel. Given a channel I am tracking, When I stop tracking that channel, Then I stop receiving notifications for package versions in that channel. ## Implementation notes - When we are tracking channels, we only want to receive notifications for packages to which we are subscribed, not all packages in those channels. - In the future, allow "package groups", i.e. collections of packages per channel(s). This would just be the current interface repeated multiple times. - We could develop a tool that scans a local project (e.g. your system configuration), creates a new subscription group and adds all known dependencies to that group, while selecting the correct channel for it too. - When a new release appears, what do we do? - Automatically unsubscribe releases that are EOLd? - If you're subscribed to stable, automatically subscribe to the new stable? - Notify users that a new release appeared? Related: - https://github.com/Nix-Security-WG/nix-security-tracker/issues/532 - https://github.com/Nix-Security-WG/nix-security-tracker/issues/217

florentc commented

2025-05-05 15:03:25 +00:00

(Migrated from github.com)

To sum up and confirm, is this mockup of the user profile setting view (on the left) and package list view (on the right) the kind of thing we are targetting eventually?

To sum up and confirm, is this mockup of the user profile setting view (on the left) and package list view (on the right) the kind of thing we are targetting eventually? ![Image](https://github.com/user-attachments/assets/dc896229-494a-49fa-9ac6-19f43baadc9a)

❤️ 1

fricklerhandwerk commented

2025-05-05 15:36:28 +00:00

(Migrated from github.com)

Yes, and we may arrange the currently left box on top of the currently right one depending on screen size/format, but structurally this is it. As @balsoft proposed those boxes are supposed to belong together so we could in principle have multiple such collections in the future, but visually it doesn't matter right now.