[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#28659: v0.13: guix pull fails; libgit2-0.26.0 and 0.25.1 content has

From: Ludovic Courtès
Subject: bug#28659: v0.13: guix pull fails; libgit2-0.26.0 and 0.25.1 content hashes fail
Date: Mon, 02 Oct 2017 22:00:33 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)

Leo Famulari <address@hidden> skribis:

> On Mon, Oct 02, 2017 at 05:09:39PM +0200, Ludovic Courtès wrote:
>> What’s sad here is that we do have the right tarball at:
>> https://mirror.hydra.gnu.org/file/libgit2-0.25.1.tar.gz/sha256/1cdwcw38frc1wf28x5ppddazv9hywc718j92f3xa3ybzzycyds3s

Just to be clear: this URL is not that of a substitute, but that of a
content-addressed file (corresponding to the output of a fixed-output

> It seems to me that there are several reasons someone may choose not to
> use substitutes. Some of those reasons (reproducibility and security
> concerns) are obviated for fixed-output derivations like upstream
> sources, and I think it would be fine to still use substitutes for these
> derivations.
> But the motivations of privacy, self-sufficiency, etc are not addressed
> by that idea.

Right.  Jan suggested checking the content-addressed mirrors *before*
the real upstream address.  That would address the problem of upstream
sources modified in-place, but at the cost of privacy/self-sufficiency
as you note.  (Though it’s not really making “privacy” any worse in this
case: it’s gnu.org vs. github.com.)

Perhaps we should make content-addressed mirrors configurable in a way
that’s orthogonal to derivations, something similar in spirit to
--substitute-urls?  The difficulty is that content-addressed mirrors are
not just URLs; see (guix download).



reply via email to

[Prev in Thread] Current Thread [Next in Thread]