From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: bug#28745: tarballs generated on github are generated on demand (leading to different hash sums) Date: Sun, 8 Oct 2017 11:40:09 +0000 Message-ID: <20171008114009.3tyhcuioaau6tlya@abyayala> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="4rofsr4o3h4caqkz" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:42248) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e19xB-00063R-Fg for bug-guix@gnu.org; Sun, 08 Oct 2017 07:41:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e19x8-0002zT-CG for bug-guix@gnu.org; Sun, 08 Oct 2017 07:41:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:46862) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1e19x8-0002zP-8e for bug-guix@gnu.org; Sun, 08 Oct 2017 07:41:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1e19x8-0007Xf-2U for bug-guix@gnu.org; Sun, 08 Oct 2017 07:41:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:42075) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e19wR-0005sz-Ek for bug-guix@gnu.org; Sun, 08 Oct 2017 07:40:20 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e19wO-0002Qu-CE for bug-guix@gnu.org; Sun, 08 Oct 2017 07:40:19 -0400 Received: from aibo.runbox.com ([91.220.196.211]:57662) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1e19wO-0002NJ-4o for bug-guix@gnu.org; Sun, 08 Oct 2017 07:40:16 -0400 Received: from [10.9.9.212] (helo=mailfront12.runbox.com) by mailtransmit03.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1e19wM-0004yk-AI for bug-guix@gnu.org; Sun, 08 Oct 2017 13:40:14 +0200 Received: from [85.159.237.210] (helo=localhost) by mailfront12.runbox.com with esmtpsa (uid:892961 ) (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) id 1e19wJ-00021A-7v for bug-guix@gnu.org; Sun, 08 Oct 2017 13:40:11 +0200 Content-Disposition: inline List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 28745@debbugs.gnu.org --4rofsr4o3h4caqkz Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Past and recent discussion in our IRC channel and on the mailing list show that we can not rely on tarballs on github keeping the same hash forever. According to github they are "generated on demand", leading to regular hash mismatches. Since some of our own dependencies are on github (at the very least guile-git), we need to come up with a solution. Right now we have around 449 packages with tarball sources from github in our gnu/packages. We could: - Move them all to use git-download and just use the commit that has been tagged in the versions that produce the tarballs on github. - Mirror the content somewhere reliable in snapshots for some time. Problem here: we start to rely on this "somewhere" to be trustworthy and introduce one more point to trust (however due to pre-recorded hash sum this is just an annoyance, not a grave issue). - Your idea here. --=20 ng0 GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 GnuPG: https://dist.krosos.org/dist/keys/ https://www.infotropique.org https://krosos.org --4rofsr4o3h4caqkz Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlnaDpkACgkQ4i+bv+40 hYjvbA/+K61e+beVasAcxl7YN7Gn887buojM2662iz9i4a7R9WE0qlQ5sp7p4CKb lHWlybZbXKwId+ubbxc1s/ItqntIK6ypJW55wVh+gxkmunN6+19wK56OlMF+ga0N D7WRckmfkxs3DL6BNCY54Y/jIsi4Z8woWzRxEqFU08I1+GvPxk4xoCUSOI3c4BAe jLenZGQnyB1jO/gnrynw/rwU0aj6erd4uerDu15YKgjaRc0zJdU8Zxp0GnnHjxOc uDiOPmAL6SERv4cM/63/TjQCn39uAo4PaH7u5H9/YOjHqPrCQsy/NaRO1k5nA3VO JoutaPWin9RC5WNTtKFSFSdTFl7ikhCq2MeM9sc6FpTne2fkJEvlWyNXRXkenvNr U/AAZDkNwGET4Hu3GXEndKB5Wb7DAWlYwzbm9JJicrk7pLjvZPALhU/9Lgyb6ipd CLIuaVcbZVfzdIDsgFf5z6jbDhQaMJb9TaaFJJVAC7Bh2gKu1lLfVLeg8Pfpn2Xf J0zQM8mV48bcqsRX5GlrRUae2Nl2X3WDY/5tOwscpaE0Y9Z/hjfGBC7OA72yNlSW 1rJMsYw87SqDt9E/W2mwfkrP+LgUwdOAvkYJ9Qobp7jA6pxkbX/VwqHPAriNoOzV iyTZioWk27Co4KHBOx/RGmtO1bASGc3wkOJ9hoyzEJql41hiPpM= =I2WJ -----END PGP SIGNATURE----- --4rofsr4o3h4caqkz--