Reily Siegel schreef op do 03-02-2022 om 19:25 [-0500]: > +(define-public clojure-com-cognitect-http-client > + (package > + (name "clojure-com-cognitect-aws-api") > + (version "1.0.111") > + (source (origin > + (method url-fetch) > + ;; This JAR contains only uncompiled Clojure sources. > + (uri (string-append "https://repo1.maven.org/maven2/" > + "com/cognitect/http-client/" > + version "/http-client-" > + version ".jar")) > + (sha256 > + (base32 > + "0n03vyr6i6n8ll8jn14b5zsba5pndb0ivdwizimz16gd8w3kf5xh")))) I downloaded the JAR and verified the hash matches. > + (license license:asl2.0))) > This time, the source code has a COPYING file and the headers of the source code state that it is Apache 2.0, which is good. There's still something weird though: even though the source files later state it's Apache 2.0, initially they state ;; Copyright (c) Cognitect, Inc. ;; All rights reserved. This seems rather contradictory --- do they reserve all monopology rights for theirselves, or do they license it as Apache 2.0, giving people some rights? The intent seems clear here (Apache 2.0), so not a blocker for inclusion in Guix I think, but IANAL and this should ideally eventually be fixed upstream. The files in the zip appear to be actual source code, not compiled something. There indeed doesn't appear to be anything malicious. I'll look into the authenticity later. Greetings, Maxime.