From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id 6M4gN1umymI2kQAAbAwnHQ (envelope-from ) for ; Sun, 10 Jul 2022 12:13:47 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id YPAsN1umymL/FgAA9RJhRA (envelope-from ) for ; Sun, 10 Jul 2022 12:13:47 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id BDB0F11B9B for ; Sun, 10 Jul 2022 12:13:46 +0200 (CEST) Received: from localhost ([::1]:57778 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oATwf-0001l7-9U for larch@yhetil.org; Sun, 10 Jul 2022 06:13:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50436) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oATwV-0001kz-DG for help-guix@gnu.org; Sun, 10 Jul 2022 06:13:35 -0400 Received: from mx1.riseup.net ([198.252.153.129]:38916) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oATwT-0002Sy-BO for help-guix@gnu.org; Sun, 10 Jul 2022 06:13:34 -0400 Received: from fews1.riseup.net (fews1-pn.riseup.net [10.0.1.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mail.riseup.net", Issuer "R3" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4LgjXC18M4zDqVS; Sun, 10 Jul 2022 10:13:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1657448011; bh=UTO2X5R4uILMhmrw/yZJEu6f3RpVloZhhtvj3KgASLU=; h=References:From:To:Cc:Subject:Date:In-reply-to:From; b=RoMhlSPkqzp14HKTs0cLbOdfySc29Rs3nLjATPkKjumsfIB2Lg1s64+BKN/c/Eg4R njTrRHyNabBK9t3irxedIt759sv5aM1bXWrFTOyS7fj5DCJ5ZQLs8VFxXnkES8WS/O Cp+kKQFPxfsPigId0N6lUp1Yb0B3W0/a9dye9Wh8= X-Riseup-User-ID: 0491200D89344CB7BC9FE5D59EEAAEF256116AAF9B3FFE47ED76E3EDDB4F0900 Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews1.riseup.net (Postfix) with ESMTPSA id 4LgjXB4PVNz5wF5; Sun, 10 Jul 2022 10:13:30 +0000 (UTC) References: <20220709211259.GB25347@gac> <87wnclppuz.fsf@contorta> From: Csepp To: Vagrant Cascadian Cc: jgart , help-guix@gnu.org Subject: Re: How do I verify my hashes? Date: Sun, 10 Jul 2022 12:09:29 +0200 In-reply-to: <87wnclppuz.fsf@contorta> Message-ID: <87r12ti8c8.fsf@riseup.net> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=198.252.153.129; envelope-from=raingloom@riseup.net; helo=mx1.riseup.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1657448027; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=gYuYXuQsIOH5D/RaeZPSs2VU7EGpI8WbtadgiGYGdhI=; b=BbEDn7U0SzuL2cugQgOKaSRjR61xwqgwCoqFu7dj2iBBCNAJEEKniWaL/TGdb1tlggLFgJ smg5KpwP3Y4AxlPjD4pgob3fJxFqgEXcC4NuB0piX8bgEl+QCBiJIYTgZyxOrnsFCFqNg3 R7Pp1QGK8n/ZLnLKwt4ixRFfNPh6gxWUBUU1d+O0aBTLCwFpdWOGfE6ic/FF2reAv7ncA0 IQZF8jujFF8xrDnFlbcKEmpLcnCecV4EttnWgXy/ZXHLxRh6N6Ua3n1Xy4O0Xi5M22Xlf8 8TImBidXn1pBFt/5J0xvxMRC3Lngg2C4zGZJ47rEXrFQWUukxQ3EURCBEZvVfg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1657448027; a=rsa-sha256; cv=none; b=ElQndHotO2M39+UUgqq8x5EyGaa47ltIcVov4iF5uZTfv9Z/m2xOqlUZhdB+2fgEvYRG8N H+Q3vavqA8u5WsGy3nragfU03tL2Dji7vzy1UgSgJCt3tpVHDcWgvnIT0DNrxsB+afUBbP 3qzu5ljiNTQ15FUD5sUbGfcFYr7a7kDWK1bovtzqKJAO/3Dg5a5wLyPsv300ejKc4OBh/U mRKLESXmvsJH3SLHH/4mv7grHaT5A8dCSGblyTnGMlWbGQi0RNJqQLTf+1zIcGMrI+m3TN l9YTI1MGOkwZRclgqEWsD7BrBwe/LUhkl4r1Isi8sNZRYfCAhSKDYI2XsHu7JQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=riseup.net header.s=squak header.b=RoMhlSPk; dmarc=pass (policy=none) header.from=riseup.net; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.05 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=riseup.net header.s=squak header.b=RoMhlSPk; dmarc=pass (policy=none) header.from=riseup.net; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: BDB0F11B9B X-Spam-Score: -3.05 X-Migadu-Scanner: scn1.migadu.com X-TUID: NhuShIxiNvuw Vagrant Cascadian writes: > [[PGP Signed Part:Undecided]] > On 2022-07-09, jgart@dismail.de wrote: >> Today Bonface mentioned to me that I should be cloning my packages and >> verifying the hashes with `git hash-object` or `git hash` iirc? > > probably "guix hash" > >> Do others do this when packaging? >> >> My workflow currently is the lazy way: >> >> 1. I change the version in the package definition. >> >> 2. build the package >> >> 3. package blows up on stdout >> >> 4. I retrieve the hash and add it >> >> 5. profit! > > Profit, for whom? Whoever injected the cryptocurrency malware? :P > > > My workflow for git-based things is typically: > > 1. git clone https://example.org/someproject.git && cd someproject > > 2. git co -b VERSION-local VERSION > > 3. git diff OLDVERSION..NEWVERSION > > 4. git clean -dfx # make sure the working tree is totally clean > > 5. guix hash -rx . > > Step 3, even if I don't completely understand the code, I can at least > check for (problematic) license changes or maybe something "obviously" > wrong. > > Similar steps for tarballs-based projects, though you may need to unpack > and/or diffoscope the sources for step 3. > > > I don't have a good idea how to verify pypi or similar origins... but > you could at least double-check the sources of the old and new versions > with something like: > > 1. guix build --source # before you update the hash > > 2. update version, build, get new hash, update hash ... > > 3. guix build --source # after updating the hash > > 4. diffoscope OLDSOURCE NEWSOURCE > > And do a best effort check for issues... > > > live well, > vagrant > > [[End of PGP Signed Part]] Hmm, would some sort of package history command be useful here? Maybe something that would walk the git history (fine grained) or just previous generations of guix pull (coarse grained) and try to present some useful changelog. Git repos can be ginormous (ever tried cloning LLVM? yikes.) so something that was a bit smarter and did a shallow fetch with only the commits that are packaged would save some storage and prolong the life of SSDs.