From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id IEMUOF9kLmdtjgAAqHPOHw:P1 (envelope-from ) for ; Fri, 08 Nov 2024 19:20:00 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id IEMUOF9kLmdtjgAAqHPOHw (envelope-from ) for ; Fri, 08 Nov 2024 20:20:00 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; none Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CDD6E5B4FF for ; Fri, 08 Nov 2024 20:19:59 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t9UW0-00078d-N9; Fri, 08 Nov 2024 14:19:28 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t9UVy-000782-9d for guix-devel@gnu.org; Fri, 08 Nov 2024 14:19:26 -0500 Received: from mout-p-102.mailbox.org ([2001:67c:2050:0:465::102]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1t9UVw-00035R-Hl for guix-devel@gnu.org; Fri, 08 Nov 2024 14:19:26 -0500 Received: from smtp102.mailbox.org (smtp102.mailbox.org [IPv6:2001:67c:2050:b231:465::102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4XlTJf2TYnz9sxc; Fri, 8 Nov 2024 20:19:14 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=troyfigiel.com; s=MBO0001; t=1731093554; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=VdVNWJsiGOXtyf4z0mfEUv03ikF0kTYjyFYMJMPQvWg=; b=cPGtSwX5EPrN/cKQnJDVOxG5Pq86jwzJHJHrXJ539r572ldBngQ7X5iEN7GA2m/dkh2iM8 uBq2WBNtWRFRA4wmcShPZfrhDwGOomAR4F1o3P0ICyBwvC/q5pRrFzaSr6R8OGNlMd2TKE tNMbrfVbKdvo6YXKxOCbV2tgCYrtx97+7ROBjOLo4pT88g4MTP75ANzy3wjGvS8ghdKlwx YMvh29FWDdynD4dUhw/DI6aUWiT9Obv5dTj/LQjhAiuP5S/LutWTYbDcY7KROlh76oKGfl skt9Menj0B3/4ziE3xSSS+9zMpitR6mxEhGREQ0llLHb6BfuIWT2onAc9E8ZCQ== Message-ID: <2c87795509cea509ae22263dfdf0a0401e4661d4.camel@troyfigiel.com> Subject: Re: Magic Wormhole Package Weirdness/Potential Security Issues? From: Troy Figiel To: Juliana Sims , guix-devel@gnu.org Date: Fri, 08 Nov 2024 20:18:54 +0100 In-Reply-To: <0W9NMS.7ID0I9IORJ19@incana.org> References: <0W9NMS.7ID0I9IORJ19@incana.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-mrdurAVR2/1A+4bhzrf6" MIME-Version: 1.0 X-Rspamd-Queue-Id: 4XlTJf2TYnz9sxc Received-SPF: pass client-ip=2001:67c:2050:0:465::102; envelope-from=troy@troyfigiel.com; helo=mout-p-102.mailbox.org X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -4.00 X-Spam-Score: -4.00 X-Migadu-Queue-Id: CDD6E5B4FF X-Migadu-Scanner: mx13.migadu.com X-TUID: OFgB/cTlLAlk --=-mrdurAVR2/1A+4bhzrf6 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Juli, On Fri, 2024-11-08 at 13:26 -0500, Juliana Sims wrote: > To cover all my bases, I pk'd the hash produced by `pypi-uri` and > used=20 > `guix download` to try to fetch the same file and check its hash, > only=20 > to find that `guix download` couldn't find anything at that URL or > its=20 > fallbacks. It seems at some point in between version 0.14.0 and 0.17.0 the name of the tarball has changed from `magic-wormhole` to `magic_wormhole`. You have to change the uri-field accordingly to successfully download the source code from PyPI. When building it in the way you describe, the source code cannot be found on PyPI, so it is pulled from tarballs.nixos.org instead. It seems NixOS uses content-addressable storage, so the hash is used to download the source code and since you have not changed the hash, it downloads version 0.14.0 again. Why tarballs.nixos.org is used as a backup, I do not know. I do not recall ever having seen this behaviour before. Hope this helps a bit though! Best wishes, Troy --=-mrdurAVR2/1A+4bhzrf6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQJIBAABCgAyFiEE5HwNzSdo36E4/NzWxnyRgbOJP7AFAmcuZB4UHHRyb3lAdHJv eWZpZ2llbC5jb20ACgkQxnyRgbOJP7Dq4hAAmXXKO04+TMI83LtxvVwvQgGBISRG kQC28glDwEM3YTpBUJNpc9yDgkJ2WFZL5JtrRMuXUuRZwbAYkOQP0UEKDsU4yRXU oHhaFSNFt3vQLadiiLxDkF7amZlUTjKOpCcrTjefEvACMtPd8zn6UvnkURmAG6RL 2us+YJ1I7mlcfLFtMsMxxy3opmUdZv+ksX+7geQ0OGkuPKQu++M+ZRcXcW7me3sV JoWT++0L2s8zyjIy4fCStpPj4vCYqxX3Awj8AfIp2jOEvdxmLxDZlFDtg1hAD5YB lBvTP6fGytdrtdIOfUt57PrrXcE+vWq/f927gajKWqiPZNuTNHLuxZNQKsjfGXjU IgEEBdE3h3qXvB45vLufmeeducpImmG69NZYB9uwIuoWOHwszrUTgDpDbcxEWkcV E72rUzd0XrOI3SgdJjQFoZRi44dFEoou0gVBRgZuapCcQb7wvkEQt/nci67MC3BX +/+6YFHQUQ74N64V2dJNSEUJJAppFHWXW4a5CiNrx7260WJD3dTQ0T+/OsN7kZIo ezaylHDHPaE6xLmbCxMGyMfdY+17KfULKI4826fFssnI1Y5jrqaVYC/VT5aJ91u4 PQKw+UlQiO394krHmbDvsjE1ImDPPR55qfd89nl2C6iFv+557RXrE8waUmSP7TZV gd+3sNDoibRcx5Y= =ECsE -----END PGP SIGNATURE----- --=-mrdurAVR2/1A+4bhzrf6--