Re: [PATCH 2/4] emacs: Add 'guix-devel-download-package-source'.

[Alex Kost]

Ludovic Courtès (2015-10-07 15:23 +0300) wrote:

> Alex Kost <address@hidden> skribis:
>
[...]
>> I don't see a problem here, since a fake sha256 may be any string, 
>
> Not really, since ‘base32’ is a macro that checks its argument at
> expansion time.  So in practice one cannot C-M-x a package with a random
> base32 string.

Ah, indeed, it can't be any string, but it can be an empty string
(perhaps it's a bug in ‘base32’?)

>> for example "" (an empty string).  Also I believe people begin to
>> write a new package from some template, so you have a working skeleton
>> of future package with all required fields from the very beginning.
>> Then after filling an origin 'uri', you could "C-c . s" to download
>> the source and get its hash.
>
> Hmm.  I’m skeptical.  :-)

Sorry, I didn't get it.  Skeptical that people start from a template?
Or that one can download a source after filling an origin 'uri'?  If the
latter, I definitely did it.

> What about, instead, providing an interactive function that would prompt
> for a URL, run ‘guix download’ on that, and emit an ‘origin’ template at
> point with all the info?

I see several problems here, but the main is: this sounds like it should
be synchronous: you give an URL, wait until the source is downloaded and
finally get the template at point.  But downloading can take a VERY long
time, so I don't think it will be a usable command.

>> Oh, now I see what you mean.  Well, I don't know, I think if a user has
>> a habbit to check a signature, he will check it anyway; and if not, then
>> not.  Besides, at first a packager needs to find an URL of the source
>> tarball, so he will meet a signature anyway, if it exists.  So it's up
>> to him if he checks it or not.
>
> (Him or her.)

Yes, I just always say/write "he", "him", etc.

> I think we really want to give packagers a strong incentive to check
> signatures.  Tools should make it easy to do that.

OK, I understand.

-- 
Alex