From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id KBzGNggIzWE4cgAAgWs5BA (envelope-from ) for ; Thu, 30 Dec 2021 02:14:48 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id yNGBLwgIzWG9NQEAG6o9tA (envelope-from ) for ; Thu, 30 Dec 2021 02:14:48 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 2FFB877D4 for ; Thu, 30 Dec 2021 02:14:48 +0100 (CET) Received: from localhost ([::1]:36958 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1n2k1n-0004oS-Ax for larch@yhetil.org; Wed, 29 Dec 2021 20:14:47 -0500 Received: from eggs.gnu.org ([209.51.188.92]:54200) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1n2k1O-0004nc-CK for guix-devel@gnu.org; Wed, 29 Dec 2021 20:14:22 -0500 Received: from world.peace.net ([64.112.178.59]:50624) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1n2k1M-0000jF-AV for guix-devel@gnu.org; Wed, 29 Dec 2021 20:14:21 -0500 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1n2k17-0004pK-3J; Wed, 29 Dec 2021 20:14:05 -0500 From: Mark H Weaver To: Liliana Marie Prikler , guix-devel@gnu.org Subject: Re: On raw strings in commit field In-Reply-To: <6e451a878b749d4afb6eede9b476e5faabb0d609.camel@gmail.com> References: <6e451a878b749d4afb6eede9b476e5faabb0d609.camel@gmail.com> Date: Wed, 29 Dec 2021 20:13:24 -0500 Message-ID: <87k0fm7v3k.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org; helo=world.peace.net X-Spam_score_int: 0 X-Spam_score: 0.0 X-Spam_bar: / X-Spam_report: (0.0 / 5.0 requ) SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1640826888; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=cHUQIohYBlINA7mhQl7yetANk2EQDk25kq9ekU5Zaec=; b=DtjcPIe7BZlangxptu2OOSyDRWCK0YwP9bvp34AjNcsS4fxDok42m8mufavVTrOYe/lvom +HPAeNVCSmyAmxwFlgUTZ84acQmpkeJWVloH2LgVRw+V1HmIedI0Yt6tRP66vX+oJXzdF0 46F/Hv6z6Ppej09r0Xp1mmsOB/VwZOY6deAVo7/ZpoHlyCFlEnfiqt4U05+Crs6DEtgwRh yt83ByI1MO8RlgH6VsbiKIj9alGerRKqtaKSIozUSXn6CguRTgsHNBxPaAGRkVh8VSf6v0 zCSLwP1jsrlMnK/REXcwtFkindFDNSeLbMGlXYqVNU8ujCckIpAbkEdavYWI/w== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1640826888; a=rsa-sha256; cv=none; b=GzL6Ts872/bblwGJ8oexwuOI5dn2wm5TzcWC0d8JPD1Wl9bJkGPGEXMLlM6FOk/c8gPxr4 xhyyLNanM2Uygs+vcSDqLP34FKvHoxyUveRDY6178dFyeKReJR7gn3ihH1lYY4Cwz7SLmb HnsPPXco75MKlRwGWqnOZChieKbve6lQjoqY85OEw0Lv3HIb/1KUM85BFahRsw+9MqrbQm JWDSMwXgd/jIiM7T0OlgnRH8kf1+VzCb1AGvkB4ZGJ/xXHHSyzf49/EPESlGUq1x1MRO2m J515GPILlkLTEUFD+pvsYmIgCUjYzdqdkQqcfiUXIcz6QaDyQZZAUaP/fQI+ug== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.07 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 2FFB877D4 X-Spam-Score: -3.07 X-Migadu-Scanner: scn1.migadu.com X-TUID: 40L66ZfvK2Km Hi Liliana, Liliana Marie Prikler writes: > It should be noted, that in the case of moving or deleted tags, the > assertion Guix "1.2.3" = upstream "v1.2.3" no longer holds. Agreed, but I don't think that assertion should be our top priority. For purposes of Guix's core goal of enabling software to be reliably reproduced in the future, the most important property to preserve is that 'Guix "1.2.3"' should remain forever immutable. An obvious corollary is that if upstream mutates the meaning of 'upstream "v1.2.3"' over time, then the equation above will become false. That would be an unfortunate result of upstream's actions, but it's exactly what _needs_ to happen to enable Guix to be reliably reproducible. If I perform an experiment with Guix "1.2.3" and publish the results, and someone later wishes to reproduce those results, they will want precisely the same 'Guix "1.2.3"' that was used to perform the original experiment, and not whatever version of the software upstream is now calling "v1.2.3". The simple fact is that the way Ricardo wrote the 'guile-aiscm' package is the right way to ensure that it can be reliably reproduced in the future. Guix packages that refer to git _tags_ may cease to be reproducible in the future if upstream mutates or removes those tags, and it's simply not feasible to transform our SHA256 hashes (of the NAR-encoded source checkout) into something that we can use to fetch the archived source from SWH. There's simply no hope to make that work, unless we can convince SWH to maintain a secondary index of their content based on NAR-encoded source trees, which seems unlikely. On the other hand, if we refer to git _commit hashes_, then it *is* feasible for us to fetch the archived source from SWH, regardless of what upstream has done to its tags in the meantime. For that reason alone, I think that the way Ricardo wrote the guile-aiscm package definition is clearly the right approach, given Guix's longstanding goals. > On the note > of fallbacks, we do also have the issue that Guix fails on the first > download that does not match the hash instead of e.g. continuing to SWH > to fetch an archive of the old tag (as well as other fallback-related > issues, also including the "Tricking Peer Review" thread). That's a bug that can, and should, be fixed. The existence of that bug might temporarily prevent us from enjoying the benefits of Ricardo's approach, but that's not an argument for adopting practices that push us farther from our core goals. What do you think? Regards, Mark -- Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about .