unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#20428: git-fetch does not always validate hash
@ 2015-04-26 13:13 Ricardo Wurmus
  2015-05-01 20:21 ` Ludovic Courtès
  0 siblings, 1 reply; 2+ messages in thread
From: Ricardo Wurmus @ 2015-04-26 13:13 UTC (permalink / raw)
  To: 20428

I'm currently playing with the elogind package recipe and I'm
occasionally updating my clone of the elogind git repository.  Whenever
I do I update the value of "commit" in the package definition:

    (define-public elogind
      (let ((commit "18ee7abc9a"))
        (package
          (name "elogind")
          (version (string-append "219." commit))
          (source (origin
                    (method git-fetch)
                    (uri (git-reference
                          (url "http://git.elephly.net/software/elogind.git")
                          (commit commit)))
                    (sha256
                     (base32
                      "0lg8jgp9rl3wf9w2xfip87nx9zpjhm4js7x1z05744xiyfmvawp5"))))
          ;; ...
          (license license:lgpl2.1+))))

Upon rebuilding the package from a new commit I would expect the build
to fail with a hash validation error as I have not updated the hash yet.
However, the build procedure just continues.  I noticed that the git
checkout is still the very same as before I updated the value of
"commit".  I cannot seem to reliably force a new git checkout.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* bug#20428: git-fetch does not always validate hash
  2015-04-26 13:13 bug#20428: git-fetch does not always validate hash Ricardo Wurmus
@ 2015-05-01 20:21 ` Ludovic Courtès
  0 siblings, 0 replies; 2+ messages in thread
From: Ludovic Courtès @ 2015-05-01 20:21 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: 20428-done

Ricardo Wurmus <rekado@elephly.net> skribis:

> Upon rebuilding the package from a new commit I would expect the build
> to fail with a hash validation error as I have not updated the hash yet.
> However, the build procedure just continues.  I noticed that the git
> checkout is still the very same as before I updated the value of
> "commit".  I cannot seem to reliably force a new git checkout.

Indeed, origins compile to fixed-output derivations, meaning that these
are special derivations whose output is known in advance (rather, the
SHA256 is the output is known in advance.)  Thus, it doesn’t matter how
the derivation produces its result as long as its output has the correct
hash.

When you leave the ‘sha256’ unchanged, the daemon notices that there’s
already an item with this name and hash in the store, so it does
nothing.

This is expected behavior, though I understand this can be error-prone
here.

To avoid that, you could add a ‘file-name’ field to the origin that
includes the commit:

  (file-name (string-append name "-checkout-" commit))

Thus, if you change the commit without changing the hash, the daemon
will still want to build the origin (because of the changed name) and
will eventually complain about the hash mismatch.

Thanks,
Ludo’.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2015-05-01 20:22 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-04-26 13:13 bug#20428: git-fetch does not always validate hash Ricardo Wurmus
2015-05-01 20:21 ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).