Hi Juli,

On Fri, 2024-11-08 at 13:26 -0500, Juliana Sims wrote:
> To cover all my bases, I pk'd the hash produced by `pypi-uri` and
> used 
> `guix download` to try to fetch the same file and check its hash,
> only 
> to find that `guix download` couldn't find anything at that URL or
> its 
> fallbacks.

It seems at some point in between version 0.14.0 and 0.17.0 the name of
the tarball has changed from `magic-wormhole` to `magic_wormhole`.  You
have to change the uri-field accordingly to successfully download the
source code from PyPI.

When building it in the way you describe, the source code cannot be
found on PyPI, so it is pulled from tarballs.nixos.org instead.  It
seems NixOS uses content-addressable storage, so the hash is used to
download the source code and since you have not changed the hash, it
downloads version 0.14.0 again.

Why tarballs.nixos.org is used as a backup, I do not know.  I do not
recall ever having seen this behaviour before.

Hope this helps a bit though!

Best wishes,

Troy