guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 01/01: gnu: gource: Fix the hashes of mutated GitHub archives.

From: Leo Famulari
Subject: Re: 01/01: gnu: gource: Fix the hashes of mutated GitHub archives.
Date: Sun, 28 Jan 2018 18:26:28 -0500
User-agent: Mutt/1.9.2 (2017-12-15) 
On Sun, Jan 28, 2018 at 08:36:42PM +0300, Oleg Pykhalov wrote:
> Leo Famulari <address@hidden> writes:
> > Additionally, if a packager uses `guix download` to check the hash of
> > some file, but uses an incorrect URL in the package definition, Guix
> > will use the file in /gnu/store and never try the URL. So it's easy to
> > commit the wrong URL if you use `guix download`. Instead I recommend
> > downloading the file outside of Guix and using `guix hash`.
> 
> Ah, thank you!  I think because Guix doesn't make a new derivation if
> the URL in package recipe was changed.  But it's not clear if you don't
> think about that carefully.

Yes, this is tricky.

> Could we have following warnings in the documentation?
> 
>   - GitHub archive could lead to non-reproducible source tarball, please
>     use a release tarball if it is available.

The problem of unstable upstream sources is a general problem, not
limited to GitHub. We noticed it recently on GitHub because they host so
many projects, but it happens at other mega-hosters and also with
self-hosted projects.

We use content addressing to make it easier to preserve and find these
sources over time. Guix will look on any substitute servers you are
using, our own content-addressed storage, and the Nix project's
content-addressed storage. The Software Heritage project [0] exists
to address this specific problem, and we'd like to eventually try
fetching sources from them, too.

>   - If you use a @code{guix download} command to check the hash of some
>     file, but use an incorrect URL in the package definition, Guix will
>     use the file in @file{/gnu/store/…pack.tar.gz} and never try the
>     URL.  So it's easy to commit the wrong URL if you use @code{guix
>     download}. Instead recommended to download the file outside of Guix
>     and use a @code{guix hash} command.

Something like this would be helpful, but I'd like to write it more
carefully, and also think about exactly where in the manual it should
go.

To me the obvious choices are 'Invoking guix download' and 'Packaging
Guidelines'.

I'm also wary of filling the manual with warnings and caveats which
could overwhelm the reader...

[0] https://www.softwareheritage.org/

Attachment: signature.asc
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]