From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <help-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp10.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms5.migadu.com with LMTPS
	id 4FjfLfxRymIoawAAbAwnHQ
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 10 Jul 2022 06:13:48 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp10.migadu.com with LMTPS
	id SJDSLPxRymKgSAEAG6o9tA
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 10 Jul 2022 06:13:48 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 54AE3C729
	for <larch@yhetil.org>; Sun, 10 Jul 2022 06:13:48 +0200 (CEST)
Received: from localhost ([::1]:36424 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1oAOKJ-0000FV-BC
	for larch@yhetil.org; Sun, 10 Jul 2022 00:13:47 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:59042)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <vagrant@debian.org>)
 id 1oAOJs-0000F8-5x
 for help-guix@gnu.org; Sun, 10 Jul 2022 00:13:20 -0400
Received: from cascadia.aikidev.net ([173.255.214.101]:53008)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <vagrant@debian.org>) id 1oAOJq-0008WA-39
 for help-guix@gnu.org; Sun, 10 Jul 2022 00:13:19 -0400
Received: from localhost (unknown [IPv6:2600:3c01:e000:21:7:77:0:20])
 (Authenticated sender: vagrant@cascadia.debian.net)
 by cascadia.aikidev.net (Postfix) with ESMTPSA id C81781AC35;
 Sat,  9 Jul 2022 21:13:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=debian.org;
 s=1.vagrant.user; t=1657426393;
 bh=a0WLHMGAPPfLKhAbB0dLwlWxfYbCQ0GHJeKxWK91GmA=;
 h=From:To:Subject:In-Reply-To:References:Date:From;
 b=gLHQmmRAIQYJ2oPBb+wC93M7kpZqtLv75+uFLYpARtOnbcGPKZY4qFBAk5MIBb6GJ
 TdughOQT3puuQ+tvHYkgkghpKCcngGtHHgpLZOBbX/VW3UVHI0xxgVMMrmfN5iFbOq
 1WYJ3gPlKbeYaF1DbUONpXKvNFjCcxPfgRyBXY9IjhLtUsA1r/4yViGbAiT78I0Jzz
 yu7cLJT9ylw+Q9oXF2bXa6lK7uj5IyhJ4ilfzKwRsUNaeiOKhPWlD5ALw57Y6dU4z4
 O6ujhzP3ylpCbJekuKJVMeUsc+PRilvk7ZH4efpKk4qbmATU4LJu4opMMjxXtlNZyT
 j+WJKvdOAKRSQ==
From: Vagrant Cascadian <vagrant@debian.org>
To: jgart <jgart@dismail.de>, Guix Help <help-guix@gnu.org>
Subject: Re: How do I verify my hashes?
In-Reply-To: <20220709211259.GB25347@gac>
References: <20220709211259.GB25347@gac>
Date: Sat, 09 Jul 2022 21:13:08 -0700
Message-ID: <87wnclppuz.fsf@contorta>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Received-SPF: none client-ip=173.255.214.101; envelope-from=vagrant@debian.org;
 helo=cascadia.aikidev.net
X-Spam_score_int: -21
X-Spam_score: -2.2
X-Spam_bar: --
X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 SPF_HELO_NONE=0.001, SPF_NONE=0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: help-guix@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/help-guix>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-To: larch@yhetil.org
X-Migadu-Country: US
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1657426428;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=+3KEGM8GLYGVf9G+8vUoWtd7U6cWeD4jCEukF8IU6ws=;
	b=Sr7MlvKhR52hYgEv5diDbkyeG7w8n3s7pFGFfSaVW/Y7PspVHnAwvHct5oGKKJFHgadhwn
	Meh5tFcae+aFCHkVr9rDDd/EXUmBEa9xYeC6BW6diipxV5cZJjL9+oJFXWb3mm+Q51hMoH
	Sx1YfQV4PvgrpR3YOh/TTpJ0dB96fbya39cRleAAFavpwJmvpqe/KUBx+LXnuW1L69osmx
	OvkFsfFKGZsJ7dtSSwo4I4QfqBHyHJgEp47yt3kAoxyz534EXORFTx5FhJ/CAftfr05GhS
	5lIh4zy6C39tWAoJPIdnzpnwDd9/gYfggd8unM/Mt2wo8chK1DzN35c2/KKmEQ==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1657426428; a=rsa-sha256; cv=none;
	b=gYSewM2nHSJs51+fNL/bzXzDE7gvvb5N/xuEtFqEq7+HX5rAdVRiZ1j07WBMoVquZ9m67j
	Qt7E31iRASmPdvKPEA1PDuJ+RAh/ZZ0yZ0mnHgQlOnd8duGDWfhdkBMGUjjfWji6Jfhg06
	ORV53azrd1pgGgMW2ZJ6a6yFhv+JjRtfOUpmpHIsY0hRa9ZtWoPS/ZuyeUxlgeWhZGQb5D
	pSRys/XNz88Ws/7TYEU2TzwzaDEgGFcEpb6up3rnu8dkY+cGeBw0BXqS0GAYjB6QtBkBYI
	ogZLu4N9/ydGivnf5sXX7ksVr00pQmf+XnlAunb0+XfUefyA9WnpeSD+ZBbNrA==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=debian.org header.s=1.vagrant.user header.b=gLHQmmRA;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Spam-Score: -7.55
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=debian.org header.s=1.vagrant.user header.b=gLHQmmRA;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Queue-Id: 54AE3C729
X-Spam-Score: -7.55
X-Migadu-Scanner: scn0.migadu.com
X-TUID: DzGfHw/tlsHr

--=-=-=
Content-Type: text/plain

On 2022-07-09, jgart@dismail.de wrote:
> Today Bonface mentioned to me that I should be cloning my packages and
> verifying the hashes with `git hash-object` or `git hash` iirc?

probably "guix hash"

> Do others do this when packaging?
>
> My workflow currently is the lazy way:
>
> 1. I change the version in the package definition.
>
> 2. build the package
>
> 3. package blows up on stdout
>
> 4. I retrieve the hash and add it
>
> 5. profit!

Profit, for whom? Whoever injected the cryptocurrency malware? :P


My workflow for git-based things is typically:

1. git clone https://example.org/someproject.git && cd someproject

2. git co -b VERSION-local VERSION

3. git diff OLDVERSION..NEWVERSION

4. git clean -dfx # make sure the working tree is totally clean

5. guix hash -rx .

Step 3, even if I don't completely understand the code, I can at least
check for (problematic) license changes or maybe something "obviously"
wrong.

Similar steps for tarballs-based projects, though you may need to unpack
and/or diffoscope the sources for step 3.


I don't have a good idea how to verify pypi or similar origins... but
you could at least double-check the sources of the old and new versions
with something like:

1. guix build --source # before you update the hash

2. update version, build, get new hash, update hash ...

3. guix build --source # after updating the hash

4. diffoscope OLDSOURCE NEWSOURCE

And do a best effort check for issues...


live well,
  vagrant

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCYspR1QAKCRDcUY/If5cW
qmFFAQDWHUAyvWDBulDySUFG6S5yumLBHqn3LyDPj74eJxD8cwD/cTDF1lejbgUS
QAoPPFehjxqbrgIYWNKOg0/zrghXwgM=
=ateY
-----END PGP SIGNATURE-----
--=-=-=--