[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Making local development easy
|
From: |
Leo Famulari |
|
Subject: |
Re: Making local development easy |
|
Date: |
Wed, 25 May 2016 12:13:42 -0400 |
|
User-agent: |
Mutt/1.6.0 (2016-04-01) |
On Wed, May 25, 2016 at 10:23:20AM +0200, Alex Sassmannshausen wrote:
> Christopher Baines writes:
> > The first, is that the hash is required, which I only had to compute
> > once, but if I wanted to change the package, I would have to update
> > this, which is prohibitive to local development. As an improvement to
> > this, could the hash be optional, and if it does not exist, be
> > calculated when the build is performed?
>
> From my perspective, I think silently calculating a hash on the fly if
> it is not provided would be problematic: it might lead to laziness in
> completing the hash, which would undermine the security model of Guix
> (if I understand correctly).
>
> But maybe an explicit flag setting the declaration to "dev-mode", might
> be useful?
Perhaps I'm too paranoid, but I'd rather not see this implemented in
Guix. It would create the necessary elements for a "downgrade attack"
[0], where an attacker exploits some bug to enable the "dev-mode" when
the user doesn't intend it.
Why not write an external script that will recalculate the hash and
rewrite the package definition for you?
Re: Making local development easy, Andy Wingo, 2016/05/25