From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: guix hash of source from git repository. Date: Tue, 21 Feb 2017 17:21:02 -0500 Message-ID: <20170221222102.GC18231@jasmine> References: <20170221215629.wqrvnhsmr4l5q7zs@wasp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:55156) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cgInz-0008UA-17 for help-guix@gnu.org; Tue, 21 Feb 2017 17:21:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cgInv-0006Sc-Sy for help-guix@gnu.org; Tue, 21 Feb 2017 17:21:07 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:34839) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cgInv-0006SQ-Og for help-guix@gnu.org; Tue, 21 Feb 2017 17:21:03 -0500 Content-Disposition: inline In-Reply-To: <20170221215629.wqrvnhsmr4l5q7zs@wasp> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Catonano , Dmitry Nikolaev , help-guix On Tue, Feb 21, 2017 at 09:56:29PM +0000, ng0 wrote: > On 17-02-21 22:25:35, Catonano wrote: > Please avoid doing the way described below though. Calculating it in > advance is more secure and helps to prevent introducing errors. If > there's a mismatch it shows an error. > > > Another option is to try to build the package with the wrong hash, wait for > > the error message and copy the right hash from within the error message > > itself. Lame, but hey I agree with ng0. We should not do this when creating Guix packages. The guix download code has a relatively rare "network signature" when compared to things like a web browser or wget. Someone could serve a different file when they detect use of the Guix download tool, and if this makes it into a package definition, all of our users would end up with the wrong software.