Hello Leo, Leo Famulari <l...@famulari.name> writes:
> On Thu, Jan 25, 2018 at 09:17:38AM -0500, Oleg Pykhalov wrote: >> wigust pushed a commit to branch master >> in repository guix. >> >> commit 45b486984d8ab092cf002cd0b500df4dc62e186b >> Author: Oleg Pykhalov <go.wig...@gmail.com> >> Date: Thu Jan 25 16:58:35 2018 +0300 >> >> gnu: gource: Fix the hashes of mutated GitHub archives. >> >> * gnu/packages/version-control.scm (gource): Fix hash. > >> - "https://github.com/acaudwell/Gource/archive/"; >> - "gource-" version ".tar.gz")) >> + "https://github.com/acaudwell/Gource/releases/download"; >> + "/gource-" version "/gource-" version ".tar.gz")) > > Hey, thanks for fixing this up. > > The commit message made me think that the hash had changed I thought about this a little bit differently. The commit changes URL, you right. But because it fixes a wrong hash during build, confused me. > , but based on this commit it seems that the URL changed somehow, or > was originally incorrect. The URL was originally incorrect. > In cases where the hash actually changed, please send a message to > bug-guix so we can investigate publicy. OK. > The automatically created per-tag GitHub snapshots are not guaranteed to > be cached forever by GitHub or recreated deterministically, so their > hashes are subject to change. [0] OK. Thank you for the reference. > Additionally, if a packager uses `guix download` to check the hash of > some file, but uses an incorrect URL in the package definition, Guix > will use the file in /gnu/store and never try the URL. So it's easy to > commit the wrong URL if you use `guix download`. Instead I recommend > downloading the file outside of Guix and using `guix hash`. Ah, thank you! I think because Guix doesn't make a new derivation if the URL in package recipe was changed. But it's not clear if you don't think about that carefully. Could we have following warnings in the documentation? - GitHub archive could lead to non-reproducible source tarball, please use a release tarball if it is available. - If you use a @code{guix download} command to check the hash of some file, but use an incorrect URL in the package definition, Guix will use the file in @file{/gnu/store/…pack.tar.gz} and never try the URL. So it's easy to commit the wrong URL if you use @code{guix download}. Instead recommended to download the file outside of Guix and use a @code{guix hash} command. > [0] > https://github.com/libgit2/libgit2/issues/4343 > https://bugs.gnu.org/28659 Thanks, Oleg.
signature.asc
Description: PGP signature
