From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
Subject: bug#28659: v0.13: guix pull fails;
	libgit2-0.26.0 and 0.25.1 content hashes fail
Date: Mon, 02 Oct 2017 22:00:33 +0200
Message-ID: <878tgt721q.fsf@gnu.org>
References: <877ewf18d4.fsf@gnu.org> <87o9ppoabw.fsf@gnu.org>
	<20171002182208.GB10773@jasmine.lan>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:41489)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dz6tj-0005BH-DO
	for bug-guix@gnu.org; Mon, 02 Oct 2017 16:01:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dz6ti-0007BX-FI
	for bug-guix@gnu.org; Mon, 02 Oct 2017 16:01:03 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:35888)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1dz6ti-0007BN-BK
	for bug-guix@gnu.org; Mon, 02 Oct 2017 16:01:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dz6ti-0004db-17
	for bug-guix@gnu.org; Mon, 02 Oct 2017 16:01:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.28659.B28659.150697445617808@debbugs.gnu.org>
In-Reply-To: <20171002182208.GB10773@jasmine.lan> (Leo Famulari's message of
	"Mon, 2 Oct 2017 14:22:08 -0400")
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: 28659@debbugs.gnu.org

Leo Famulari <leo@famulari.name> skribis:

> On Mon, Oct 02, 2017 at 05:09:39PM +0200, Ludovic Court=C3=A8s wrote:
>> What=E2=80=99s sad here is that we do have the right tarball at:
>>=20
>>   https://mirror.hydra.gnu.org/file/libgit2-0.25.1.tar.gz/sha256/1cdwcw3=
8frc1wf28x5ppddazv9hywc718j92f3xa3ybzzycyds3s

Just to be clear: this URL is not that of a substitute, but that of a
content-addressed file (corresponding to the output of a fixed-output
derivation.)

> It seems to me that there are several reasons someone may choose not to
> use substitutes. Some of those reasons (reproducibility and security
> concerns) are obviated for fixed-output derivations like upstream
> sources, and I think it would be fine to still use substitutes for these
> derivations.
>
> But the motivations of privacy, self-sufficiency, etc are not addressed
> by that idea.

Right.  Jan suggested checking the content-addressed mirrors *before*
the real upstream address.  That would address the problem of upstream
sources modified in-place, but at the cost of privacy/self-sufficiency
as you note.  (Though it=E2=80=99s not really making =E2=80=9Cprivacy=E2=80=
=9D any worse in this
case: it=E2=80=99s gnu.org vs. github.com.)

Perhaps we should make content-addressed mirrors configurable in a way
that=E2=80=99s orthogonal to derivations, something similar in spirit to
--substitute-urls?  The difficulty is that content-addressed mirrors are
not just URLs; see (guix download).

Thoughts?

Ludo=E2=80=99.