From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: bug#28659: v0.13: guix pull fails; libgit2-0.26.0 and 0.25.1 content hashes fail Date: Sun, 1 Oct 2017 21:05:27 +0000 Message-ID: <20171001210527.ym24ubylu7mh5huv@abyayala> References: <877ewf18d4.fsf@gnu.org> <87wp4e8yk5.fsf@gnu.org> <20171001204237.GA11804@jasmine.lan> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="swcmruvmsvfrdmgs" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53865) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dylR9-0003oX-Hm for bug-guix@gnu.org; Sun, 01 Oct 2017 17:06:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dylR5-0002Si-7C for bug-guix@gnu.org; Sun, 01 Oct 2017 17:06:07 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:34483) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dylR5-0002S2-3B for bug-guix@gnu.org; Sun, 01 Oct 2017 17:06:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dylR4-0006Xr-MJ for bug-guix@gnu.org; Sun, 01 Oct 2017 17:06:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <20171001204237.GA11804@jasmine.lan> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Leo Famulari Cc: 28659@debbugs.gnu.org --swcmruvmsvfrdmgs Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Leo Famulari transcribed 2.3K bytes: > On Sun, Oct 01, 2017 at 09:20:42PM +0200, Jan Nieuwenhuizen wrote: > > Jan Nieuwenhuizen writes: > >=20 > > The changing of the libgit-0.26.0 checksum was already reported about 3 > > weeks ago (github seems to only show relative dates) > >=20 > > https://github.com/libgit2/libgit2/issues/4343 > >=20 > > and the bug is still open. It seems to be a github thing. As I > > understand it, currently our options are to update the hash and pray it > > won't happen again or host libgit2 tarballs ourselves. >=20 > I contacted GitHub about this issue a few weeks ago and they said that: >=20 > 1) They do not guarantee bit-reproducibility of the snapshots they > generate automatically for each release tag, and they wish that people > would not rely on them as we do. However, since people *are* relying on > them, they are discussing this issue internally. > 2) This is the relevant code change: > https://git.kernel.org/pub/scm/git/git.git/commit/?id=3D22f0dcd9634a818a0= c83f23ea1a48f2d620c0546 >=20 > In the meantime, we can add this to the list of reasons that > reproducibility is difficult in the long term. >=20 > I don't have any solutions in mind besides keeping substitutes available > for as long as possible and, for users, using substitutes. We might also > petition upstream projects to offer a "real" release tarball. Given that we depend on this for our core functionality, can't we just keep this on our ftp directory at gnu.org as a fall-back source in a list? --=20 ng0 GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 GnuPG: https://krosos.org/dist/keys/ https://www.infotropique.org https://krosos.org --swcmruvmsvfrdmgs Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlnRWJcACgkQ4i+bv+40 hYjWWw//Zx+EuYTMEF/nA1o+WwMFjKsZo/kL6zfNektqIsLJSbGkYCUIrAn3Jkur bL4FJxj4BMxkNHtkkVkUyhYVMalORoJaL0cAr6d/JQkzZswJHkjkzloIgbSdvRpz PR2u7gIu9DKqs5fE8fbBTYfrm/VwIgmxoZS5Wb8zt/iC5+yZ3+D3PxiU1ujFMtY9 POivSdWH68KsZBw31dQuEoBINWVhwVc2csRloyHjngsxew983usD25rfJJadR1qP Jm/yjOUmYqqrAfQr0LbHXs+C4Nfj8GL+c05JwgNEC/+6yaCc/Dp0Fa7QyOPbepCI 8hY2XOmTP6AjdQH7WCBwOh/7ZILlhENvOEs6CyW6qeRZgBze/0pvV/lXwbGhbGzF tqjS/SVieTuaPmQwdLZ2KvKh49bVWVsa56KM2uK0uOl8hobShBHy5VnbHgtgTmea eVqz1HKKDyjTg+Uzk++jKs7CwYA25BLD8mHqD1Hyg4UAIQtmM1KPmOhPsUuvt7x2 dKmSJiAZlaBTML+uoQ+Yt7Dg/GvM5HDrY6iOVwHvkCbUGuwrArxHXFFBLZ84DkWH c86aCebP9wUqEJvogDEvq4XPBVDyLu35KBLZrLfEARtXE5DbWQ7D9MjyNkS9ely+ 72dmfviu+CJbKFi8GKZvDbnHGeAXWSU31sGGqNCzR4FidUTTVv4= =lMkG -----END PGP SIGNATURE----- --swcmruvmsvfrdmgs--