On 2022-07-09, jgart@dismail.de wrote:
> Today Bonface mentioned to me that I should be cloning my packages and
> verifying the hashes with `git hash-object` or `git hash` iirc?

probably "guix hash"

> Do others do this when packaging?
>
> My workflow currently is the lazy way:
>
> 1. I change the version in the package definition.
>
> 2. build the package
>
> 3. package blows up on stdout
>
> 4. I retrieve the hash and add it
>
> 5. profit!

Profit, for whom? Whoever injected the cryptocurrency malware? :P


My workflow for git-based things is typically:

1. git clone https://example.org/someproject.git && cd someproject

2. git co -b VERSION-local VERSION

3. git diff OLDVERSION..NEWVERSION

4. git clean -dfx # make sure the working tree is totally clean

5. guix hash -rx .

Step 3, even if I don't completely understand the code, I can at least
check for (problematic) license changes or maybe something "obviously"
wrong.

Similar steps for tarballs-based projects, though you may need to unpack
and/or diffoscope the sources for step 3.


I don't have a good idea how to verify pypi or similar origins... but
you could at least double-check the sources of the old and new versions
with something like:

1. guix build --source # before you update the hash

2. update version, build, get new hash, update hash ...

3. guix build --source # after updating the hash

4. diffoscope OLDSOURCE NEWSOURCE

And do a best effort check for issues...


live well,
  vagrant