From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Subject: bug#21784: Old XZ tarballs Date: Sun, 01 Nov 2015 11:20:07 +0100 Message-ID: <87y4ei58dk.fsf@gnu.org> References: <87r3kd8lpb.fsf@gnu.org> <20151030194730.4a2639ae@tukaani.org> <87si4sb02k.fsf_-_@gnu.org> <20151031202908.5548817d@tukaani.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:33488) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zspl3-0005W1-Ua for bug-guix@gnu.org; Sun, 01 Nov 2015 05:21:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Zspl0-00074Y-RC for bug-guix@gnu.org; Sun, 01 Nov 2015 05:21:05 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:56795) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zspl0-00074U-OF for bug-guix@gnu.org; Sun, 01 Nov 2015 05:21:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1Zspl0-0001UA-EQ for bug-guix@gnu.org; Sun, 01 Nov 2015 05:21:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <20151031202908.5548817d@tukaani.org> (Lasse Collin's message of "Sat, 31 Oct 2015 20:29:08 +0200") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org To: Lasse Collin Cc: 21784@debbugs.gnu.org Lasse Collin skribis: > On 2015-10-30 Ludovic Court=C3=A8s wrote: [...] >> Guix does automatically mirror tarballs via its =E2=80=9Csubstitute=E2= =80=9D >> mechanism. However, users can turn it off, in which case they end up >> downloading the tarball from the upstream URL specified in the >> package recipe. > > OK. :-) Why would users turn it off though? The substitute mechanism is very generic; it=E2=80=99s not just about mirro= ring tarballs: http://www.gnu.org/software/guix/manual/html_node/Substitutes.html Some people might prefer to build things locally rather than download pre-built items. > I would guess that one good mirror would be more reliable than dozens > of upstream sites of which just one needs to be down to be a problem > for a user. A package manager should know the hash or signature of the > file, so from security point of view it doesn't matter where the file > comes. Yes exactly, all we need is to mirror it somewhere. >> > By the way, is there a reason why you use 5.0.4 instead of 5.0.8 (or >> > even 5.2.2)? >>=20 >> No good reason! We=E2=80=99ll upgrade it as soon as this can be done wi= thout >> triggering too much rebuild/redownloads for users. > > API/ABI is backward compatible so one shouldn't need to rebuild other > packages. There's a mailing list "xz-announce" in case you want a > notification when a new version is released: > Noted, thanks! Ludo=E2=80=99.