On Fri, Dec 17, 2021 at 03:40:45PM -0800, Andy Tai wrote: > as seen above, somehow the old version was downloaded from a cached > copy at softwareheritage archives, and it proceeds to build. This > should not proceed but fail for wrong checksum.
This can happen with the Nix content-addressed archive fallback that we use, too. Basically, when the normal URLs fail, Guix queries these content-addressed archives by content. That is, by their hash. The version number is considered to be metadata, not content, and so the download "succeeds". Since the source origins are named by their hash, this is the correct behaviour, although there is some room for error, as you've found. Do you have any ideas about how to improve things? We taught Guix to respect the GUIX_DOWNLOAD_FALLBACK_TEST [0] environment variable, which controls how Guix uses these fallback archives. I recommend setting it to "none" if you are doing package development in order to avoid this pitfall. Otherwise, these archives are helpful for using Guix, since sources do disappear upstream, URLs change, etc, and we'd like for old versions of Guix to be usable. [0] https://git.savannah.gnu.org/cgit/guix.git/commit/?id=c4a7aa82e25503133a1bd33148d17968c899a5f5 https://git.savannah.gnu.org/cgit/guix.git/commit/?id=bd61d62182bfda4a695757ec66810b28e8e1a6d0