From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id 4FjfLfxRymIoawAAbAwnHQ (envelope-from ) for ; Sun, 10 Jul 2022 06:13:48 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id SJDSLPxRymKgSAEAG6o9tA (envelope-from ) for ; Sun, 10 Jul 2022 06:13:48 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 54AE3C729 for ; Sun, 10 Jul 2022 06:13:48 +0200 (CEST) Received: from localhost ([::1]:36424 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oAOKJ-0000FV-BC for larch@yhetil.org; Sun, 10 Jul 2022 00:13:47 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59042) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oAOJs-0000F8-5x for help-guix@gnu.org; Sun, 10 Jul 2022 00:13:20 -0400 Received: from cascadia.aikidev.net ([173.255.214.101]:53008) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oAOJq-0008WA-39 for help-guix@gnu.org; Sun, 10 Jul 2022 00:13:19 -0400 Received: from localhost (unknown [IPv6:2600:3c01:e000:21:7:77:0:20]) (Authenticated sender: vagrant@cascadia.debian.net) by cascadia.aikidev.net (Postfix) with ESMTPSA id C81781AC35; Sat, 9 Jul 2022 21:13:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=debian.org; s=1.vagrant.user; t=1657426393; bh=a0WLHMGAPPfLKhAbB0dLwlWxfYbCQ0GHJeKxWK91GmA=; h=From:To:Subject:In-Reply-To:References:Date:From; b=gLHQmmRAIQYJ2oPBb+wC93M7kpZqtLv75+uFLYpARtOnbcGPKZY4qFBAk5MIBb6GJ TdughOQT3puuQ+tvHYkgkghpKCcngGtHHgpLZOBbX/VW3UVHI0xxgVMMrmfN5iFbOq 1WYJ3gPlKbeYaF1DbUONpXKvNFjCcxPfgRyBXY9IjhLtUsA1r/4yViGbAiT78I0Jzz yu7cLJT9ylw+Q9oXF2bXa6lK7uj5IyhJ4ilfzKwRsUNaeiOKhPWlD5ALw57Y6dU4z4 O6ujhzP3ylpCbJekuKJVMeUsc+PRilvk7ZH4efpKk4qbmATU4LJu4opMMjxXtlNZyT j+WJKvdOAKRSQ== From: Vagrant Cascadian To: jgart , Guix Help Subject: Re: How do I verify my hashes? In-Reply-To: <20220709211259.GB25347@gac> References: <20220709211259.GB25347@gac> Date: Sat, 09 Jul 2022 21:13:08 -0700 Message-ID: <87wnclppuz.fsf@contorta> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: none client-ip=173.255.214.101; envelope-from=vagrant@debian.org; helo=cascadia.aikidev.net X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1657426428; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=+3KEGM8GLYGVf9G+8vUoWtd7U6cWeD4jCEukF8IU6ws=; b=Sr7MlvKhR52hYgEv5diDbkyeG7w8n3s7pFGFfSaVW/Y7PspVHnAwvHct5oGKKJFHgadhwn Meh5tFcae+aFCHkVr9rDDd/EXUmBEa9xYeC6BW6diipxV5cZJjL9+oJFXWb3mm+Q51hMoH Sx1YfQV4PvgrpR3YOh/TTpJ0dB96fbya39cRleAAFavpwJmvpqe/KUBx+LXnuW1L69osmx OvkFsfFKGZsJ7dtSSwo4I4QfqBHyHJgEp47yt3kAoxyz534EXORFTx5FhJ/CAftfr05GhS 5lIh4zy6C39tWAoJPIdnzpnwDd9/gYfggd8unM/Mt2wo8chK1DzN35c2/KKmEQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1657426428; a=rsa-sha256; cv=none; b=gYSewM2nHSJs51+fNL/bzXzDE7gvvb5N/xuEtFqEq7+HX5rAdVRiZ1j07WBMoVquZ9m67j Qt7E31iRASmPdvKPEA1PDuJ+RAh/ZZ0yZ0mnHgQlOnd8duGDWfhdkBMGUjjfWji6Jfhg06 ORV53azrd1pgGgMW2ZJ6a6yFhv+JjRtfOUpmpHIsY0hRa9ZtWoPS/ZuyeUxlgeWhZGQb5D pSRys/XNz88Ws/7TYEU2TzwzaDEgGFcEpb6up3rnu8dkY+cGeBw0BXqS0GAYjB6QtBkBYI ogZLu4N9/ydGivnf5sXX7ksVr00pQmf+XnlAunb0+XfUefyA9WnpeSD+ZBbNrA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=debian.org header.s=1.vagrant.user header.b=gLHQmmRA; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -7.55 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=debian.org header.s=1.vagrant.user header.b=gLHQmmRA; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 54AE3C729 X-Spam-Score: -7.55 X-Migadu-Scanner: scn0.migadu.com X-TUID: DzGfHw/tlsHr --=-=-= Content-Type: text/plain On 2022-07-09, jgart@dismail.de wrote: > Today Bonface mentioned to me that I should be cloning my packages and > verifying the hashes with `git hash-object` or `git hash` iirc? probably "guix hash" > Do others do this when packaging? > > My workflow currently is the lazy way: > > 1. I change the version in the package definition. > > 2. build the package > > 3. package blows up on stdout > > 4. I retrieve the hash and add it > > 5. profit! Profit, for whom? Whoever injected the cryptocurrency malware? :P My workflow for git-based things is typically: 1. git clone https://example.org/someproject.git && cd someproject 2. git co -b VERSION-local VERSION 3. git diff OLDVERSION..NEWVERSION 4. git clean -dfx # make sure the working tree is totally clean 5. guix hash -rx . Step 3, even if I don't completely understand the code, I can at least check for (problematic) license changes or maybe something "obviously" wrong. Similar steps for tarballs-based projects, though you may need to unpack and/or diffoscope the sources for step 3. I don't have a good idea how to verify pypi or similar origins... but you could at least double-check the sources of the old and new versions with something like: 1. guix build --source # before you update the hash 2. update version, build, get new hash, update hash ... 3. guix build --source # after updating the hash 4. diffoscope OLDSOURCE NEWSOURCE And do a best effort check for issues... live well, vagrant --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCYspR1QAKCRDcUY/If5cW qmFFAQDWHUAyvWDBulDySUFG6S5yumLBHqn3LyDPj74eJxD8cwD/cTDF1lejbgUS QAoPPFehjxqbrgIYWNKOg0/zrghXwgM= =ateY -----END PGP SIGNATURE----- --=-=-=--