[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: guix hash of source from git repository.
From: |
Leo Famulari |
Subject: |
Re: guix hash of source from git repository. |
Date: |
Tue, 21 Feb 2017 17:21:02 -0500 |
User-agent: |
Mutt/1.7.2 (2016-11-26) |
On Tue, Feb 21, 2017 at 09:56:29PM +0000, ng0 wrote:
> On 17-02-21 22:25:35, Catonano wrote:
> Please avoid doing the way described below though. Calculating it in
> advance is more secure and helps to prevent introducing errors. If
> there's a mismatch it shows an error.
>
> > Another option is to try to build the package with the wrong hash, wait for
> > the error message and copy the right hash from within the error message
> > itself. Lame, but hey
I agree with ng0. We should not do this when creating Guix packages.
The guix download code has a relatively rare "network signature" when
compared to things like a web browser or wget.
Someone could serve a different file when they detect use of the Guix
download tool, and if this makes it into a package definition, all of
our users would end up with the wrong software.