Re: 01/01: gnu: gource: Fix the hashes of mutated GitHub archives.

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 01/01: gnu: gource: Fix the hashes of mutated GitHub archives.

From:	Oleg Pykhalov
Subject:	Re: 01/01: gnu: gource: Fix the hashes of mutated GitHub archives.
Date:	Sun, 28 Jan 2018 20:36:42 +0300
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)

Hello Leo,

Leo Famulari <address@hidden> writes:

> On Thu, Jan 25, 2018 at 09:17:38AM -0500, Oleg Pykhalov wrote:
>> wigust pushed a commit to branch master
>> in repository guix.
>> 
>> commit 45b486984d8ab092cf002cd0b500df4dc62e186b
>> Author: Oleg Pykhalov <address@hidden>
>> Date:   Thu Jan 25 16:58:35 2018 +0300
>> 
>>     gnu: gource: Fix the hashes of mutated GitHub archives.
>>     
>>     * gnu/packages/version-control.scm (gource): Fix hash.
>
>> -                    "https://github.com/acaudwell/Gource/archive/";
>> -                    "gource-" version ".tar.gz"))
>> +                    "https://github.com/acaudwell/Gource/releases/download";
>> +                    "/gource-" version "/gource-" version ".tar.gz"))
>
> Hey, thanks for fixing this up.
>
> The commit message made me think that the hash had changed

I thought about this a little bit differently.  The commit changes URL,
you right.  But because it fixes a wrong hash during build, confused me.

> , but based on this commit it seems that the URL changed somehow, or
> was originally incorrect.

The URL was originally incorrect.

> In cases where the hash actually changed, please send a message to
> bug-guix so we can investigate publicy.

OK.

> The automatically created per-tag GitHub snapshots are not guaranteed to
> be cached forever by GitHub or recreated deterministically, so their
> hashes are subject to change. [0]

OK.  Thank you for the reference.

> Additionally, if a packager uses `guix download` to check the hash of
> some file, but uses an incorrect URL in the package definition, Guix
> will use the file in /gnu/store and never try the URL. So it's easy to
> commit the wrong URL if you use `guix download`. Instead I recommend
> downloading the file outside of Guix and using `guix hash`.

Ah, thank you!  I think because Guix doesn't make a new derivation if
the URL in package recipe was changed.  But it's not clear if you don't
think about that carefully.


Could we have following warnings in the documentation?

  - GitHub archive could lead to non-reproducible source tarball, please
    use a release tarball if it is available.

  - If you use a @code{guix download} command to check the hash of some
    file, but use an incorrect URL in the package definition, Guix will
    use the file in @file{/gnu/store/…pack.tar.gz} and never try the
    URL.  So it's easy to commit the wrong URL if you use @code{guix
    download}. Instead recommended to download the file outside of Guix
    and use a @code{guix hash} command.

> [0]
> https://github.com/libgit2/libgit2/issues/4343
> https://bugs.gnu.org/28659

Thanks,
Oleg.

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: 01/01: gnu: gource: Fix the hashes of mutated GitHub archives., Leo Famulari, 2018/01/25
- Re: 01/01: gnu: gource: Fix the hashes of mutated GitHub archives., Oleg Pykhalov <=
  - Re: 01/01: gnu: gource: Fix the hashes of mutated GitHub archives., Leo Famulari, 2018/01/28

Prev by Date: Re: website: say what Guix is at the very top
Next by Date: Re: Guix - installation script
Previous by thread: Re: 01/01: gnu: gource: Fix the hashes of mutated GitHub archives.
Next by thread: Re: 01/01: gnu: gource: Fix the hashes of mutated GitHub archives.
Index(es):
- Date
- Thread