[debbugs-tracker] bug#20428: closed (git-fetch does not always validate hash)

[GNU bug Tracking System]

Your message dated Fri, 01 May 2015 22:21:52 +0200
with message-id <address@hidden>
and subject line Re: bug#20428: git-fetch does not always validate hash
has caused the debbugs.gnu.org bug report #20428,
regarding git-fetch does not always validate hash
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
20428: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=20428
GNU Bug Tracking System
Contact address@hidden with problems
> --- Begin Message ---
>
>
>
> Subject: 
>
> git-fetch does not always validate hash
>
>
>
>
> Date: 
>
> Sun, 26 Apr 2015 15:13:16 +0200
>
>
>
>
> I'm currently playing with the elogind package recipe and I'm
> occasionally updating my clone of the elogind git repository.  Whenever
> I do I update the value of "commit" in the package definition:
>
>     (define-public elogind
>       (let ((commit "18ee7abc9a"))
>         (package
>           (name "elogind")
>           (version (string-append "219." commit))
>           (source (origin
>                     (method git-fetch)
>                     (uri (git-reference
>                           (url "http://git.elephly.net/software/elogind.git";)
>                           (commit commit)))
>                     (sha256
>                      (base32
>                       "0lg8jgp9rl3wf9w2xfip87nx9zpjhm4js7x1z05744xiyfmvawp5"))))
>           ;; ...
>           (license license:lgpl2.1+))))
>
> Upon rebuilding the package from a new commit I would expect the build
> to fail with a hash validation error as I have not updated the hash yet.
> However, the build procedure just continues.  I noticed that the git
> checkout is still the very same as before I updated the value of
> "commit".  I cannot seem to reliably force a new git checkout.
>
>
>
>
> --- End Message ---
> --- Begin Message ---
>
>
>
> Subject: 
>
> Re: bug#20428: git-fetch does not always validate hash
>
>
>
>
> Date: 
>
> Fri, 01 May 2015 22:21:52 +0200
>
>
>
>
> User-agent: 
>
> Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
>
>
>
>
> Ricardo Wurmus <address@hidden> skribis:
>
> > Upon rebuilding the package from a new commit I would expect the build
> > to fail with a hash validation error as I have not updated the hash yet.
> > However, the build procedure just continues.  I noticed that the git
> > checkout is still the very same as before I updated the value of
> > "commit".  I cannot seem to reliably force a new git checkout.
>
> Indeed, origins compile to fixed-output derivations, meaning that these
> are special derivations whose output is known in advance (rather, the
> SHA256 is the output is known in advance.)  Thus, it doesn’t matter how
> the derivation produces its result as long as its output has the correct
> hash.
>
> When you leave the ‘sha256’ unchanged, the daemon notices that there’s
> already an item with this name and hash in the store, so it does
> nothing.
>
> This is expected behavior, though I understand this can be error-prone
> here.
>
> To avoid that, you could add a ‘file-name’ field to the origin that
> includes the commit:
>
>   (file-name (string-append name "-checkout-" commit))
>
> Thus, if you change the commit without changing the hash, the daemon
> will still want to build the origin (because of the changed name) and
> will eventually complain about the hash mismatch.
>
> Thanks,
> Ludo’.
>
>
> --- End Message ---