From mboxrd@z Thu Jan  1 00:00:00 1970
From: ng0 <ng0@infotropique.org>
Subject: bug#28745: tarballs generated on github are generated on demand
	(leading to different hash sums)
Date: Sun, 8 Oct 2017 11:40:09 +0000
Message-ID: <20171008114009.3tyhcuioaau6tlya@abyayala>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="4rofsr4o3h4caqkz"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42248)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e19xB-00063R-Fg
	for bug-guix@gnu.org; Sun, 08 Oct 2017 07:41:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e19x8-0002zT-CG
	for bug-guix@gnu.org; Sun, 08 Oct 2017 07:41:05 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:46862)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1e19x8-0002zP-8e
	for bug-guix@gnu.org; Sun, 08 Oct 2017 07:41:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e19x8-0007Xf-2U
	for bug-guix@gnu.org; Sun, 08 Oct 2017 07:41:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.28745.B.150746282828939@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42075)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ng0@infotropique.org>) id 1e19wR-0005sz-Ek
	for bug-guix@gnu.org; Sun, 08 Oct 2017 07:40:20 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ng0@infotropique.org>) id 1e19wO-0002Qu-CE
	for bug-guix@gnu.org; Sun, 08 Oct 2017 07:40:19 -0400
Received: from aibo.runbox.com ([91.220.196.211]:57662)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <ng0@infotropique.org>)
	id 1e19wO-0002NJ-4o
	for bug-guix@gnu.org; Sun, 08 Oct 2017 07:40:16 -0400
Received: from [10.9.9.212] (helo=mailfront12.runbox.com)
	by mailtransmit03.runbox with esmtp (Exim 4.86_2)
	(envelope-from <ng0@infotropique.org>) id 1e19wM-0004yk-AI
	for bug-guix@gnu.org; Sun, 08 Oct 2017 13:40:14 +0200
Received: from [85.159.237.210] (helo=localhost)
	by mailfront12.runbox.com with esmtpsa (uid:892961 )
	(TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) id 1e19wJ-00021A-7v
	for bug-guix@gnu.org; Sun, 08 Oct 2017 13:40:11 +0200
Content-Disposition: inline
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: 28745@debbugs.gnu.org


--4rofsr4o3h4caqkz
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Past and recent discussion in our IRC channel and on the mailing list
show that we can not rely on tarballs on github keeping the same
hash forever.
According to github they are "generated on demand", leading to
regular hash mismatches.

Since some of our own dependencies are on github (at the very least
guile-git), we need to come up with a solution.

Right now we have around 449 packages with tarball sources from
github in our gnu/packages.
We could:

- Move them all to use git-download and just use
  the commit that has been tagged in the versions that produce
  the tarballs on github.

- Mirror the content somewhere reliable in snapshots for
  some time. Problem here: we start to rely on this "somewhere"
  to be trustworthy and introduce one more point to trust
  (however due to pre-recorded hash sum this is just an annoyance,
  not a grave issue).

- Your idea here.

--=20
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://dist.krosos.org/dist/keys/
https://www.infotropique.org https://krosos.org

--4rofsr4o3h4caqkz
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlnaDpkACgkQ4i+bv+40
hYjvbA/+K61e+beVasAcxl7YN7Gn887buojM2662iz9i4a7R9WE0qlQ5sp7p4CKb
lHWlybZbXKwId+ubbxc1s/ItqntIK6ypJW55wVh+gxkmunN6+19wK56OlMF+ga0N
D7WRckmfkxs3DL6BNCY54Y/jIsi4Z8woWzRxEqFU08I1+GvPxk4xoCUSOI3c4BAe
jLenZGQnyB1jO/gnrynw/rwU0aj6erd4uerDu15YKgjaRc0zJdU8Zxp0GnnHjxOc
uDiOPmAL6SERv4cM/63/TjQCn39uAo4PaH7u5H9/YOjHqPrCQsy/NaRO1k5nA3VO
JoutaPWin9RC5WNTtKFSFSdTFl7ikhCq2MeM9sc6FpTne2fkJEvlWyNXRXkenvNr
U/AAZDkNwGET4Hu3GXEndKB5Wb7DAWlYwzbm9JJicrk7pLjvZPALhU/9Lgyb6ipd
CLIuaVcbZVfzdIDsgFf5z6jbDhQaMJb9TaaFJJVAC7Bh2gKu1lLfVLeg8Pfpn2Xf
J0zQM8mV48bcqsRX5GlrRUae2Nl2X3WDY/5tOwscpaE0Y9Z/hjfGBC7OA72yNlSW
1rJMsYw87SqDt9E/W2mwfkrP+LgUwdOAvkYJ9Qobp7jA6pxkbX/VwqHPAriNoOzV
iyTZioWk27Co4KHBOx/RGmtO1bASGc3wkOJ9hoyzEJql41hiPpM=
=I2WJ
-----END PGP SIGNATURE-----

--4rofsr4o3h4caqkz--