From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#28659: v0.13: guix pull fails; libgit2-0.26.0 and 0.25.1 content hashes fail Date: Mon, 2 Oct 2017 14:19:29 -0400 Message-ID: <20171002181929.GA10773@jasmine.lan> References: <877ewf18d4.fsf@gnu.org> <87wp4e8yk5.fsf@gnu.org> <20171001204237.GA11804@jasmine.lan> <87vajxoavx.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="YiEDa0DAkWCtVeE4" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:54426) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dz5K2-0003kn-SH for bug-guix@gnu.org; Mon, 02 Oct 2017 14:20:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dz5Jy-0000bE-TD for bug-guix@gnu.org; Mon, 02 Oct 2017 14:20:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:35839) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dz5Jy-0000an-OX for bug-guix@gnu.org; Mon, 02 Oct 2017 14:20:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dz5Jx-00024h-QO for bug-guix@gnu.org; Mon, 02 Oct 2017 14:20:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <87vajxoavx.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 28659@debbugs.gnu.org --YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 02, 2017 at 04:57:38PM +0200, Ludovic Court=C3=A8s wrote: > Hi! >=20 > Leo Famulari skribis: >=20 > > I contacted GitHub about this issue a few weeks ago and they said that: > > > > 1) They do not guarantee bit-reproducibility of the snapshots they > > generate automatically for each release tag, and they wish that people > > would not rely on them as we do. However, since people *are* relying on > > them, they are discussing this issue internally. >=20 > Oh?! Then we=E2=80=99re in trouble. I wonder, are there really that many affected packages? My sense is that most GitHub-hosted projects offer their own release tarballs in addition to the problematic auto-generated snapshots, and we tend to prefer the upstream-provided tarballs in this case. We'd need to survey our package sources to know what sort of reaction is most appropriate. In general, we should try to make Guix as resilient as possible to unstable upstream sources, since the problem is not limited to GitHub. > Perhaps we should start using =E2=80=98git-fetch=E2=80=99 more, with Soft= ware=C2=A0Heritage > as a fallback content-addressed mirror? Though again the difficulty is > that SWH uses Git=E2=80=99s method to hash directory contents, so we=E2= =80=99d end up > having to provide both a Nix hash and a Git hash in =E2=80=98origin=E2=80= =99. :-/ And the Git hashes will change from SHA1 to SHA256 sooner or later, and SHA1 hashes will become less reliable as CPUs get faster (collision attacks), compounding the problem... --YiEDa0DAkWCtVeE4 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlnSgy0ACgkQJkb6MLrK fwhXlA//dSvV1TA7XjxpLsaV9atdgrU7DvsVpuntzeYTmGoSqaQE+ZqlY90/AMkI B37kgAamMge7cIK4xIYE4QFxiWXBWlEOpIQ98rTPrbVzTAxZPzMu/EWGCQ4pDbmN ETqPHRrzQARGq8kPJLcKqcwqtQsdina87ITTDzZeYqEuJP90BIwvCWW8MGnJWYh6 3VhHZugZk/5fQQF6Jnv8ILf/BaSqYVsWkrDeuCuNXznUCMT9mfQ/7KvG7nMS6xy8 XNhGGqwsytU4AS4ekOZNtdIhevkFqUdj8t5M2Stp0xcsi4YnvVEi/sio8VbIov7D jm58w6YtUl1vO+BBIt55c6WJHN9nYxNgemMkrj3n0bsmf7PV/VcbsTg/swCb3J4B AcedV6RETP8iVB2cYBYCxA38Z+3/FJFyOvERjOkzzurWddMjWpipIsC7atchYUCf czsLTCCwewieCu7N4yaaIjO3UWbCfq4lDqPsURp5bLtlXdw7NXoDYtvao4TyRjR2 KR3h7Qo6VobgE4jaL0Y/7x2YTXDtPHDpJA4wRLiDkwRj5awJKQ+IyZtr7wZ7jY71 wy0yqck2KfGDnKNCZQUppo93OoJl9JerKtw47CT5cQv+53x52Drr8HdQnLZ7aLlX tX72HXtHEb41LySXmydDChivReONHpATOrRbLuFfhUHDvHHylL8= =dby8 -----END PGP SIGNATURE----- --YiEDa0DAkWCtVeE4--