On Fri, Dec 17, 2021 at 03:40:45PM -0800, Andy Tai wrote:
> as seen above, somehow the old version was downloaded from a cached
> copy at softwareheritage archives, and it proceeds to build.   This
> should not proceed but fail for wrong checksum.

This can happen with the Nix content-addressed archive fallback that we
use, too.

Basically, when the normal URLs fail, Guix queries these
content-addressed archives by content. That is, by their hash.

The version number is considered to be metadata, not content, and so the
download "succeeds".

Since the source origins are named by their hash, this is the correct
behaviour, although there is some room for error, as you've found.

Do you have any ideas about how to improve things?

We taught Guix to respect the GUIX_DOWNLOAD_FALLBACK_TEST [0]
environment variable, which controls how Guix uses these fallback
archives.

I recommend setting it to "none" if you are doing package development in
order to avoid this pitfall. Otherwise, these archives are helpful for
using Guix, since sources do disappear upstream, URLs change, etc, and
we'd like for old versions of Guix to be usable.

[0]
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=c4a7aa82e25503133a1bd33148d17968c899a5f5
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=bd61d62182bfda4a695757ec66810b28e8e1a6d0



Reply via email to