From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tobias Geerinckx-Rice Subject: bug#36614: rust@1.36's hash is incorrect. Date: Fri, 12 Jul 2019 19:26:07 +0200 Message-ID: <87k1cn411s.fsf@nckx> References: <8736jby4go.fsf@gmx.com> <87pnmf2y1n.fsf@nckx> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:36949) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hlzK3-0007il-Qf for bug-guix@gnu.org; Fri, 12 Jul 2019 13:27:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hlzK2-00017j-Ke for bug-guix@gnu.org; Fri, 12 Jul 2019 13:27:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:60074) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hlzK2-00016Y-25 for bug-guix@gnu.org; Fri, 12 Jul 2019 13:27:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1hlzK1-0008E9-Sd for bug-guix@gnu.org; Fri, 12 Jul 2019 13:27:01 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-reply-to: List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ivan Petkov Cc: 36614-done@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Ivan, Ivan Petkov wrote: > My apologies, this was all partly my fault. I do have the old=20 > source lying > around, diffing the two (attached) reveals that the changelog=20 > and one source > file actually changed. > > A bit more detailed context: > The rust project makes pre-release sources available for testing=20 > ahead of > the formal release, and the process is meant to shake out any=20 > potential bugs. > I tested with the prerelease build originally, and after the=20 > real release > came out I updated the package URL to the formal release and=20 > immediately > rebuilt successfully. No apologies necessary. It's nice to know that our Rust updates=20 will always follow swiftly on the heels of upstream as long as you=20 take care of them. However, please make sure to check the=20 signature (.asc) once the final release is cut; one never knows... > I'm not 100% sure if maybe guix reused the cached tarball I had=20 > from earlier, > or whether the prerelease source was immediately upgraded to the=20 > formal release > and fixed shortly after. (I did try rebuilding right before=20 > pushing the change > out which succeeded with no changes, which I'm guessing is=20 > because guix did > not redownload the tarball and why I didn't notice the hash=20 > mismatch). Yes, this is exactly what happened. I consider this is a feature=20 of Guix, even though it can feel like a gotcha sometimes. :-) We often tend to think of the source URL(s) as an =E2=80=98identifier=E2=80= =99 of=20 the source file. However, it is nothing more than a hint about=20 its *location*. The only authoritative identifier of its=20 *content* is the hash: to get *this file* (content hash), try=20 looking *here* (location: URL). One origin may have 0 or more source URLs: Guix will try them all=20 until it downloads something matching the hash (and if even that=20 fails it will try some implicit ones like tarballs.nixos.org). =E2=80=98Unique=E2=80=99 identifier (hash) =E2=94=9C maybe you can *find* it here (URL) =E2=94=9C or here (another URL) =E2=94=9C hell maybe here I don't know (yet another URL) =E2=8B=AE =20=20=20=20=20=20 Guix cares only about the content of the file; it doesn't care or=20 even remember how it got it. Or: if you change the download hint=20 (release URL in this case), Guix won't care, because you didn't=20 change the hash. I hope that makes some sense, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQT12iAyS4c9C3o4dnINsP+IT1VteQUCXSjCrwAKCRANsP+IT1Vt eVfVAPsExTEWFNENW6r31eSeZaFLUcmbov+8+pqKhXr1v5YtIgD+MOrXWoPyJ1bN D8LWAyHuQvcPlBlUP7c76e8SP7q7rQA= =elMm -----END PGP SIGNATURE----- --=-=-=--