From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id YFMDHDkFL2c1WwAAe85BDQ:P1 (envelope-from ) for ; Sat, 09 Nov 2024 06:46:17 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id YFMDHDkFL2c1WwAAe85BDQ (envelope-from ) for ; Sat, 09 Nov 2024 07:46:17 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=lepiller.eu header.s=dkim header.b=YY6kWkRv; dmarc=pass (policy=none) header.from=lepiller.eu; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1731134777; a=rsa-sha256; cv=none; b=eQD1z6cwihiVISqc6qwsS65CXCXWzP0qtskZs0MpPs3TRP5zzJ80Qcq41QFQe6t4yS8MDQ R3Z+CSJu1JGgmtATdhWXClQfTVGJwasMJV9nbORn7EutGKG8O+q5MZWH7wPzjh8t5j01QL CEt66JwuNameq4tsDdt1igHry/bR5HNle49qjtW8pHVT0u/5A8chucVV8dLyKOTBoUtOV+ CxAvrFusvN69MNHDa04XJOsg56CipDm7lTWtecQrBTF7mkvT4LNKfOcdLAIzb3dZYZzi7V N2AjenMIHPs/WcIKCY3/t7nulB7nKAD9YYI7Nfo/Xnhj4AxWkBNaMbhvIua58w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=lepiller.eu header.s=dkim header.b=YY6kWkRv; dmarc=pass (policy=none) header.from=lepiller.eu; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1731134777; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=nk50hKo2c+IV8Cp5V6kv1hdiQMuw4W+9ew8refpkR0Q=; b=BuhA8xFsMEqroobNKRj5vPGdv2rXve8LpQtbNEPcSqebsTpkYVS8mS27xu86LvEHxeAyqm skx2HYGhliZ8d9lNTc6w67o6Ldx6wLHb/kV8yYZMLDNGlRtkbZGP0fiDopwSfXHakQ4nwa 6pdtvCEBtW3GTXQmEuWa/CxvswTKv06IxLEScN6WBbfuKqvQdF4pmHz5Cpjmy6Mo8z+z8g 3icoZNzOiC5v79HzwX+TLzPAT4kwDXG5uIqsjjK/WknXUDlQYMFiF6kQ4LdSnNNrbnSf4Y Yxmh3jwETFo5BVBZv9IrOJSUZmZNC5fjkFE2bzRd6jA86EB+0nuYJ2BmXeISPQ== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 11FD7898E8 for ; Sat, 09 Nov 2024 07:46:16 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t9fBb-0008Hk-9g; Sat, 09 Nov 2024 01:43:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t9fAJ-0006S7-1M for guix-devel@gnu.org; Sat, 09 Nov 2024 01:41:49 -0500 Received: from lepiller.eu ([2a00:5884:8208::1] helo=hermes.lepiller.eu) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t9fAF-0002dU-RC for guix-devel@gnu.org; Sat, 09 Nov 2024 01:41:46 -0500 Received: from hermes.lepiller.eu (localhost [127.0.0.1]) by hermes.lepiller.eu (OpenSMTPD) with ESMTP id fb61e17b; Sat, 9 Nov 2024 06:41:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date:from :to:subject:in-reply-to:references:message-id:mime-version :content-type:content-transfer-encoding; s=dkim; bh=qJTHvdHsngU2 HqJ2kd/m5uDeX27M389pXOcp9Y8Lh3c=; b=YY6kWkRvjeqr4qXjFGxJnCgAKiDs O31XwnNX/bJjqxRB8X3bkiwFUHMXokly8CTJ79o3b/lgdhYt6Zpez8FaELScF286 gKVfEDmOtq5d3uhXuRdeAMT4E5Yf1jXbOgenBhJTyFUsPtPoCKHi8lpJzfwPEQ4U wV7y0yBMrbmAuc1Dj6SGuMAqPpbzFrwv6FBvrZjoGB2Mhbz4DfHCTrQOW6Bu1CeV szatzBI3KfQaBeZLRqLULsKcz8oI+2MXDVFmlFa8nLX7A5yS7BSalVW68svugwVy m1sRiItqs6jnzT8veu1QNeNX7m+MMe2G7ALpvcxzfF8vstbwku7R4nf4tw== Received: by hermes.lepiller.eu (OpenSMTPD) with ESMTPSA id 9609df62 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Sat, 9 Nov 2024 06:41:34 +0000 (UTC) Date: Sat, 09 Nov 2024 07:41:28 +0100 From: Julien Lepiller To: guix-devel@gnu.org, Troy Figiel , Juliana Sims Subject: Re: Magic Wormhole Package Weirdness/Potential Security Issues? User-Agent: K-9 Mail for Android In-Reply-To: <2c87795509cea509ae22263dfdf0a0401e4661d4.camel@troyfigiel.com> References: <0W9NMS.7ID0I9IORJ19@incana.org> <2c87795509cea509ae22263dfdf0a0401e4661d4.camel@troyfigiel.com> Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2a00:5884:8208::1; envelope-from=julien@lepiller.eu; helo=hermes.lepiller.eu X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -2.37 X-Spam-Score: -2.37 X-Migadu-Queue-Id: 11FD7898E8 X-Migadu-Scanner: mx10.migadu.com X-TUID: qYhm/njiS33C If you only change the version number, guix will cry to download that versi= on=2E If it fails, then it relies on the provided hash to fetch from a cont= ent-adressed store, such as ci or sohtware heritage=2E It relies on the has= h as the source of truth=2E Usually, when updating a package, I alter the hash to make sure it doesn't= build the old version=2E Replace the initial 1 with a 0 or initial 0 with = a 1, and you get a wrong hash=2E If it fails to download the file, you'll n= otice immediately=2E Otherwise, it will print the expected hash=2E Le 8 novembre 2024 20:18:54 GMT+01:00, Troy Figiel = a =C3=A9crit=C2=A0: >Hi Juli, > >On Fri, 2024-11-08 at 13:26 -0500, Juliana Sims wrote: >> To cover all my bases, I pk'd the hash produced by `pypi-uri` and >> used=20 >> `guix download` to try to fetch the same file and check its hash, >> only=20 >> to find that `guix download` couldn't find anything at that URL or >> its=20 >> fallbacks=2E > >It seems at some point in between version 0=2E14=2E0 and 0=2E17=2E0 the n= ame of >the tarball has changed from `magic-wormhole` to `magic_wormhole`=2E You >have to change the uri-field accordingly to successfully download the >source code from PyPI=2E > >When building it in the way you describe, the source code cannot be >found on PyPI, so it is pulled from tarballs=2Enixos=2Eorg instead=2E It >seems NixOS uses content-addressable storage, so the hash is used to >download the source code and since you have not changed the hash, it >downloads version 0=2E14=2E0 again=2E > >Why tarballs=2Enixos=2Eorg is used as a backup, I do not know=2E I do no= t >recall ever having seen this behaviour before=2E > >Hope this helps a bit though! > >Best wishes, > >Troy