GNU bug report logs - #28659
Content-addressed mirror is not used upon invalid hash

Previous Next

Full log

Message #36 received at 28659 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: 28659 <at> debbugs.gnu.org, Jan Nieuwenhuizen <janneke <at> gnu.org>
Subject: Re: bug#28659: v0.13: guix pull fails;
 libgit2-0.26.0 and 0.25.1 content hashes fail
Date: Mon, 02 Oct 2017 22:00:33 +0200

Leo Famulari <leo <at> famulari.name> skribis:

> On Mon, Oct 02, 2017 at 05:09:39PM +0200, Ludovic Courtès wrote:
>> What’s sad here is that we do have the right tarball at:
>> 
>>   https://mirror.hydra.gnu.org/file/libgit2-0.25.1.tar.gz/sha256/1cdwcw38frc1wf28x5ppddazv9hywc718j92f3xa3ybzzycyds3s

Just to be clear: this URL is not that of a substitute, but that of a
content-addressed file (corresponding to the output of a fixed-output
derivation.)

> It seems to me that there are several reasons someone may choose not to
> use substitutes. Some of those reasons (reproducibility and security
> concerns) are obviated for fixed-output derivations like upstream
> sources, and I think it would be fine to still use substitutes for these
> derivations.
>
> But the motivations of privacy, self-sufficiency, etc are not addressed
> by that idea.

Right.  Jan suggested checking the content-addressed mirrors *before*
the real upstream address.  That would address the problem of upstream
sources modified in-place, but at the cost of privacy/self-sufficiency
as you note.  (Though it’s not really making “privacy” any worse in this
case: it’s gnu.org vs. github.com.)

Perhaps we should make content-addressed mirrors configurable in a way
that’s orthogonal to derivations, something similar in spirit to
--substitute-urls?  The difficulty is that content-addressed mirrors are
not just URLs; see (guix download).

Thoughts?

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.