From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 08 07:40:28 2017 Received: (at submit) by debbugs.gnu.org; 8 Oct 2017 11:40:28 +0000 Received: from localhost ([127.0.0.1]:55543 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e19wa-0007Wh-8G for submit@debbugs.gnu.org; Sun, 08 Oct 2017 07:40:28 -0400 Received: from eggs.gnu.org ([208.118.235.92]:51139) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e19wZ-0007WS-B8 for submit@debbugs.gnu.org; Sun, 08 Oct 2017 07:40:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e19wS-0002VJ-Ub for submit@debbugs.gnu.org; Sun, 08 Oct 2017 07:40:21 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:60266) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1e19wS-0002Uy-OD for submit@debbugs.gnu.org; Sun, 08 Oct 2017 07:40:20 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42075) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e19wR-0005sz-Ek for bug-guix@gnu.org; Sun, 08 Oct 2017 07:40:20 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e19wO-0002Qu-CE for bug-guix@gnu.org; Sun, 08 Oct 2017 07:40:19 -0400 Received: from aibo.runbox.com ([91.220.196.211]:57662) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1e19wO-0002NJ-4o for bug-guix@gnu.org; Sun, 08 Oct 2017 07:40:16 -0400 Received: from [10.9.9.212] (helo=mailfront12.runbox.com) by mailtransmit03.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1e19wM-0004yk-AI for bug-guix@gnu.org; Sun, 08 Oct 2017 13:40:14 +0200 Received: from [85.159.237.210] (helo=localhost) by mailfront12.runbox.com with esmtpsa (uid:892961 ) (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) id 1e19wJ-00021A-7v for bug-guix@gnu.org; Sun, 08 Oct 2017 13:40:11 +0200 Date: Sun, 8 Oct 2017 11:40:09 +0000 From: ng0 To: bug-guix@gnu.org Subject: tarballs generated on github are generated on demand (leading to different hash sums) Message-ID: <20171008114009.3tyhcuioaau6tlya@abyayala> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="4rofsr4o3h4caqkz" Content-Disposition: inline X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) --4rofsr4o3h4caqkz Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Past and recent discussion in our IRC channel and on the mailing list show that we can not rely on tarballs on github keeping the same hash forever. According to github they are "generated on demand", leading to regular hash mismatches. Since some of our own dependencies are on github (at the very least guile-git), we need to come up with a solution. Right now we have around 449 packages with tarball sources from github in our gnu/packages. We could: - Move them all to use git-download and just use the commit that has been tagged in the versions that produce the tarballs on github. - Mirror the content somewhere reliable in snapshots for some time. Problem here: we start to rely on this "somewhere" to be trustworthy and introduce one more point to trust (however due to pre-recorded hash sum this is just an annoyance, not a grave issue). - Your idea here. --=20 ng0 GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 GnuPG: https://dist.krosos.org/dist/keys/ https://www.infotropique.org https://krosos.org --4rofsr4o3h4caqkz Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlnaDpkACgkQ4i+bv+40 hYjvbA/+K61e+beVasAcxl7YN7Gn887buojM2662iz9i4a7R9WE0qlQ5sp7p4CKb lHWlybZbXKwId+ubbxc1s/ItqntIK6ypJW55wVh+gxkmunN6+19wK56OlMF+ga0N D7WRckmfkxs3DL6BNCY54Y/jIsi4Z8woWzRxEqFU08I1+GvPxk4xoCUSOI3c4BAe jLenZGQnyB1jO/gnrynw/rwU0aj6erd4uerDu15YKgjaRc0zJdU8Zxp0GnnHjxOc uDiOPmAL6SERv4cM/63/TjQCn39uAo4PaH7u5H9/YOjHqPrCQsy/NaRO1k5nA3VO JoutaPWin9RC5WNTtKFSFSdTFl7ikhCq2MeM9sc6FpTne2fkJEvlWyNXRXkenvNr U/AAZDkNwGET4Hu3GXEndKB5Wb7DAWlYwzbm9JJicrk7pLjvZPALhU/9Lgyb6ipd CLIuaVcbZVfzdIDsgFf5z6jbDhQaMJb9TaaFJJVAC7Bh2gKu1lLfVLeg8Pfpn2Xf J0zQM8mV48bcqsRX5GlrRUae2Nl2X3WDY/5tOwscpaE0Y9Z/hjfGBC7OA72yNlSW 1rJMsYw87SqDt9E/W2mwfkrP+LgUwdOAvkYJ9Qobp7jA6pxkbX/VwqHPAriNoOzV iyTZioWk27Co4KHBOx/RGmtO1bASGc3wkOJ9hoyzEJql41hiPpM= =I2WJ -----END PGP SIGNATURE----- --4rofsr4o3h4caqkz-- From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 08 07:44:18 2017 Received: (at 28745) by debbugs.gnu.org; 8 Oct 2017 11:44:18 +0000 Received: from localhost ([127.0.0.1]:55548 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1A0H-0007cu-Rv for submit@debbugs.gnu.org; Sun, 08 Oct 2017 07:44:18 -0400 Received: from aibo.runbox.com ([91.220.196.211]:55494) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1A0G-0007cm-73 for 28745@debbugs.gnu.org; Sun, 08 Oct 2017 07:44:16 -0400 Received: from [10.9.9.210] (helo=mailfront10.runbox.com) by mailtransmit03.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1e1A0E-0005GW-TI for 28745@debbugs.gnu.org; Sun, 08 Oct 2017 13:44:15 +0200 Received: from [85.159.237.210] (helo=localhost) by mailfront10.runbox.com with esmtpsa (uid:892961 ) (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) id 1e1A05-0002HR-Nu for 28745@debbugs.gnu.org; Sun, 08 Oct 2017 13:44:06 +0200 Date: Sun, 8 Oct 2017 11:44:02 +0000 From: ng0 To: 28745@debbugs.gnu.org Subject: Re: bug#28745: tarballs generated on github are generated on demand (leading to different hash sums) Message-ID: <20171008114402.wxwhra6xxnxvc3pt@abyayala> References: <20171008114009.3tyhcuioaau6tlya@abyayala> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="lkdxkvqush5m6zgk" Content-Disposition: inline In-Reply-To: <20171008114009.3tyhcuioaau6tlya@abyayala> X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 28745 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --lkdxkvqush5m6zgk Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable ng0 transcribed 2.1K bytes: =E2=80=A6 > Since some of our own dependencies are on github (at the very least > guile-git), we need to come up with a solution. =E2=80=A6 Correction: libgit2 is on github, a dependency of guile-git (which is on gi= tlab). --=20 ng0 GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 GnuPG: https://dist.krosos.org/dist/keys/ https://www.infotropique.org https://krosos.org --lkdxkvqush5m6zgk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlnaD4IACgkQ4i+bv+40 hYhV2Q/+MuffPA7LJHOwaRAOMmEJghDJfZXLSyEfZuva5tseh/jXlecrfGyuW0GG OWHO/Gm1CLM0WxJfC5ejnMQzPFhp3Qk7Soa/js/b9H993D1p1+mrdsQJegT6DQSg JUtDfUVKl1R6m0zHC5JGXipNLyBvOt7KHa6kHAe2cEU7W4890UArBdOA2Z7sLhJA 38g3IdQRucg6ovUBXIrdw/lOW7cwImXprnfhF4aR2+lS6bSaZY6ccRPl1+ljvnl8 UIKiX/D9rX2dpt51LNeXBp6xRdfczxrLNXCwG4Zglh8tBrBDKHClHGvufvmoP1jU D5GYU3UraU7x+nlB7WbWGiaAByil6/KdpfTWkQUK27POdhNf69m/DI8yevb6upBu H89CYrUjfla9Mr2c4DAGzzlKgBg/JfbirjKG+l2BK8jHXLIopA2yI8Q9D1Fi9iOy JvdNfiixED/Ip7t69NiB54kBDHDcXZK0LC13a8m/OM9rfGZhR69PJd5Gja06rbpb Rqsw7BRNc+TfK81vKJ7Eb6MWHFDjCPExP3UHMtqTovJv7qk0QHwPHU4O38yr16ib /w8NuKZU+3Feoebv4IeLvhb2GHXbfWs6ZaKAk+9jkyzwlZ2i3RgvS58yOITwkSzP YEN/WQj/gL1tnMl2vTyBEeRWI5NAcN4xvOSuLYUoY5c2b5KOi48= =Xul/ -----END PGP SIGNATURE----- --lkdxkvqush5m6zgk-- From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 08 17:19:18 2017 Received: (at 28745) by debbugs.gnu.org; 8 Oct 2017 21:19:18 +0000 Received: from localhost ([127.0.0.1]:56772 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1Iyk-0006s5-2X for submit@debbugs.gnu.org; Sun, 08 Oct 2017 17:19:18 -0400 Received: from eggs.gnu.org ([208.118.235.92]:47946) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1Iyh-0006rs-HC for 28745@debbugs.gnu.org; Sun, 08 Oct 2017 17:19:15 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e1IyY-0001Js-R4 for 28745@debbugs.gnu.org; Sun, 08 Oct 2017 17:19:10 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:44679) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e1IyN-000197-9O; Sun, 08 Oct 2017 17:18:55 -0400 Received: from peder.onsbrabantnet.nl ([88.159.206.46]:44136 helo=dundal.peder.onsbrabantnet.nl) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1e1IyM-0004AY-QL; Sun, 08 Oct 2017 17:18:55 -0400 From: Jan Nieuwenhuizen To: ng0 Subject: Re: bug#28745: tarballs generated on github are generated on demand (leading to different hash sums) Organization: AvatarAcademy.nl References: <20171008114009.3tyhcuioaau6tlya@abyayala> <20171008114402.wxwhra6xxnxvc3pt@abyayala> X-Url: http://AvatarAcademy.nl Date: Sun, 08 Oct 2017 23:18:52 +0200 In-Reply-To: <20171008114402.wxwhra6xxnxvc3pt@abyayala> (ng0@infotropique.org's message of "Sun, 8 Oct 2017 11:44:02 +0000") Message-ID: <87r2ud49tv.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 28745 Cc: 28745@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) ng0 writes: > ng0 transcribed 2.1K bytes: > =E2=80=A6 >> Since some of our own dependencies are on github (at the very least >> guile-git), we need to come up with a solution. > =E2=80=A6 > > Correction: libgit2 is on github, a dependency of guile-git (which is on = gitlab). Sure, see bug#28659 ...possbily this needs to be merged that bug. janneke --=20 Jan Nieuwenhuizen | GNU LilyPond http://lilypond.org Freelance IT http://JoyofSource.com | Avatar=C2=AE http://AvatarAcademy.com From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 08 17:59:06 2017 Received: (at 28745) by debbugs.gnu.org; 8 Oct 2017 21:59:06 +0000 Received: from localhost ([127.0.0.1]:56781 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1JbG-0007n0-1G for submit@debbugs.gnu.org; Sun, 08 Oct 2017 17:59:06 -0400 Received: from sender-of-o51.zoho.com ([135.84.80.216]:21048) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1JbD-0007mr-So for 28745@debbugs.gnu.org; Sun, 08 Oct 2017 17:59:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1507499931; s=zoho; d=elephly.net; i=rekado@elephly.net; h=References:From:To:Cc:Subject:In-reply-to:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding; l=719; bh=sZCUxTGVzhVgODRbqz9zpaXy8MFZq7w719DaYVz0aME=; b=VXqfJeNpd1cEnMAhq2gTIzw447wVFycZZ96nH6CYCfyzRNcOhc73coDAGR3k5gUN zZH+715t8xFd9voT+Itxp2lzb9Ww71szy3ecDCyC5NZ9cQPfok92Mx4n4CJfBwlUZZO 9gbuyyH3Hq1ePi35rANC7bGrgyAkg0NMc9Tt8G3A= Received: from localhost (port-92-200-80-210.dynamic.qsc.de [92.200.80.210]) by mx.zohomail.com with SMTPS id 1507499931059754.5782219064516; Sun, 8 Oct 2017 14:58:51 -0700 (PDT) References: <20171008114009.3tyhcuioaau6tlya@abyayala> User-agent: mu4e 0.9.18; emacs 25.3.1 From: Ricardo Wurmus To: ng0 Subject: Re: bug#28745: tarballs generated on github are generated on demand (leading to different hash sums) In-reply-to: <20171008114009.3tyhcuioaau6tlya@abyayala> X-URL: https://elephly.net X-PGP-Key: https://elephly.net/rekado.pubkey X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC Date: Sun, 08 Oct 2017 23:58:48 +0200 Message-ID: <87y3olmhd3.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-ZohoMailClient: External X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 28745 Cc: 28745@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) ng0 writes: > Right now we have around 449 packages with tarball sources from > github in our gnu/packages. I assume that this problem does not exist for tarballs that have been signed and uploaded by the maintainer. This is only a problem for auto-generated tarballs for tags, so it’s probably less than 449 packages. > - Move them all to use git-download and just use > the commit that has been tagged in the versions that produce > the tarballs on github. This doesn’t seem like a bad idea. It’s not great that we’ll have to bootstrap the build systems for all these packages. -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 11 09:29:20 2017 Received: (at control) by debbugs.gnu.org; 11 Oct 2017 13:29:20 +0000 Received: from localhost ([127.0.0.1]:33213 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e2H4a-0005OI-6F for submit@debbugs.gnu.org; Wed, 11 Oct 2017 09:29:20 -0400 Received: from eggs.gnu.org ([208.118.235.92]:38849) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e2H4Z-0005O1-0v for control@debbugs.gnu.org; Wed, 11 Oct 2017 09:29:19 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e2H4T-0007Lp-BS for control@debbugs.gnu.org; Wed, 11 Oct 2017 09:29:13 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:49479) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e2H4T-0007Lj-7O for control@debbugs.gnu.org; Wed, 11 Oct 2017 09:29:13 -0400 Received: from [2a01:e0a:1d:7270:6a6c:dc17:fc02:cfda] (port=33140 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1e2H4S-00046r-OU for control@debbugs.gnu.org; Wed, 11 Oct 2017 09:29:13 -0400 Date: Wed, 11 Oct 2017 15:29:11 +0200 Message-Id: <87inflbyoo.fsf@gnu.org> To: control@debbugs.gnu.org From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: control message for bug #28745 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) severity 28745 important From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 15 23:10:58 2017 Received: (at 28745) by debbugs.gnu.org; 16 Oct 2017 03:10:58 +0000 Received: from localhost ([127.0.0.1]:42239 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e3vnp-00015W-GJ for submit@debbugs.gnu.org; Sun, 15 Oct 2017 23:10:58 -0400 Received: from mail-io0-f180.google.com ([209.85.223.180]:45441) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e3vnn-00015H-6v for 28745@debbugs.gnu.org; Sun, 15 Oct 2017 23:10:52 -0400 Received: by mail-io0-f180.google.com with SMTP id i38so14540715iod.2 for <28745@debbugs.gnu.org>; Sun, 15 Oct 2017 20:10:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:in-reply-to:message-id:user-agent:mime-version; bh=As8dBl+r54GmG74hDKHpKcOfsiGdWp+tdyr0iK2XsnU=; b=srMnc6N/tbTCx8pGltAmZbadCjRSshrci2M9+AOzB10/H2C43Xj7HjBRHSJM0qcRGE qXZzJpWnSYi3CfuSn0BRVXh8tnf9CK63oD5dFkIz/ON7qvo0YEYUMUPUsb57sOozmXJH suoUDiSDyGsUBqzmuHH4kXG3dc/zSkwYbMDMEntNvgyBuxn60d/BslO9LD9krhk4BpWX JX8Kb2qF9bqYEmFgFxZMNz0KSePnVFHm0ULstWArzsd2f4p/WHhb0n+wAjntlYbY//Ml SBv1HAyVBSlH/0XQZ6o0dTfOkPyRps3bRrst64TwkLhwRGyJCfWvKmgSb/N2wEDrVeS3 m19w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:in-reply-to:message-id :user-agent:mime-version; bh=As8dBl+r54GmG74hDKHpKcOfsiGdWp+tdyr0iK2XsnU=; b=DuLnFD+JxDtbvBD50OdBxn0vJy/DMaZTmwsM+ZqIh17ce+9KhQdFWGuxqFVigm6Ee3 1yGcdHFTz6bjY7HH2VfLy7OMQsFrWlrQTLMMtSZbn1fKExZzc42lS832uKdbEZMKe/ag fJCbCoXYihdZ7L53fPPPbI1iwz0iOsrACYd1/nOMfxdzWtCdoXNGrqgwyC2f5miA0AZT dv/8q+aOI5fBnAYJ/XxSYheD+niRXGZXKobXc0eepJxp9W5E4YnG0GL9lYYNktFu4KL0 ahHKF2VdmTqXCB+LjNF3ZP0s0uLlf6ddu9m0P+yuHtMgQndeUOZg/MCbgETW9t3MhKs0 sW/g== X-Gm-Message-State: AMCzsaVBv3pWAjsBHGZQO+DDw6BsaAVMX+BuIEUBCK/Z9sg+2sWCn3Xl gON7H+o9BTk+37NxPOAJEfjXfQ== X-Google-Smtp-Source: ABhQp+RkNFaCrz7OxBM5zpKKeqe+4KcAqDxjY7KYEtVJMOG8INt9hmcxt7+lfxwsbfrzSFIGZAYNsQ== X-Received: by 10.107.62.65 with SMTP id l62mr11593344ioa.153.1508123445495; Sun, 15 Oct 2017 20:10:45 -0700 (PDT) Received: from apteryx ([24.140.229.228]) by smtp.gmail.com with ESMTPSA id b190sm3053700ioe.1.2017.10.15.20.10.43 for <28745@debbugs.gnu.org> (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 15 Oct 2017 20:10:44 -0700 (PDT) From: Maxim Cournoyer To: bug#28745 <28745@debbugs.gnu.org> Subject: [PATCH] tarballs generated on github are generated on demand (leading to different hash sums) Date: Sun, 15 Oct 2017 23:10:43 -0400 In-Reply-To: bug's message of "Mon\, 16 Oct 2017 02\:52\:25 +0000" Message-ID: <87k1zv7pos.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 28745 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-=-= Content-Type: text/plain Hello, I could finish a script that helped me finding all of our affected packages, verify that only the hash but not the content of the archives had changed, as well as automate the hash update for those safe to update. Attached is the patch and the scripts I used. I think we might want to reuse some of it to extend guix lint to warn packagers that archives coming from .*github.*archives URL are not guaranteed to be stable and that it would be better, if available, to use manually uploaded releases archives. Thanks! Maxim PS: I've also uploaded the scripts here: https://notabug.org/apteryx/fiasco for ease of cloning. Any comments about my nascent (ab)use of Scheme are welcome! --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-gnu-packages-Fix-the-hashes-of-mutated-GitHub-archiv.patch >From 774a764149ecb0e234ae09c9a0a273af671c3c86 Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Sun, 15 Oct 2017 22:17:12 -0400 Subject: [PATCH] gnu: packages: Fix the hashes of mutated GitHub archives. Fixes bug https://bugs.gnu.org/28745. * gnu/packages/audio.scm (csound): Fix hash. * gnu/packages/engineering.scm (fritzing): Likewise. * gnu/packages/erlang.scm (erlang): Likewise. * gnu/packages/fonts.scm (font-google-material-design-icons): Likewise. * gnu/packages/graphics.scm (ogre): Likewise. * gnu/packages/java.scm (java-plexus-interpolation, antlr3): Likewise. * gnu/packages/serialization.scm (yaml-cpp): Likewise. * gnu/packages/version-control.scm (libgit2): Likewise. --- gnu/packages/audio.scm | 2 +- gnu/packages/engineering.scm | 2 +- gnu/packages/erlang.scm | 2 +- gnu/packages/fonts.scm | 2 +- gnu/packages/graphics.scm | 2 +- gnu/packages/java.scm | 4 ++-- gnu/packages/serialization.scm | 2 +- gnu/packages/version-control.scm | 2 +- 8 files changed, 9 insertions(+), 9 deletions(-) diff --git a/gnu/packages/audio.scm b/gnu/packages/audio.scm index 0900630df..fbbe77509 100644 --- a/gnu/packages/audio.scm +++ b/gnu/packages/audio.scm @@ -580,7 +580,7 @@ emulation (valve, tape), bit fiddling (decimator, pointer-cast), etc.") (file-name (string-append name "-" version ".tar.gz")) (sha256 (base32 - "0f67vyy3r29hn26qkkcwnizrnzzy8p7gmg3say5q3wjhxns3b5yl")))) + "0xqpqws4jsv7fyawcjzwaw544qbfh29xq164kdf30a9v1n3yklp4")))) (build-system cmake-build-system) (inputs `(("alsa-lib" ,alsa-lib) diff --git a/gnu/packages/engineering.scm b/gnu/packages/engineering.scm index 9f9949ef8..c9e184d7d 100644 --- a/gnu/packages/engineering.scm +++ b/gnu/packages/engineering.scm @@ -429,7 +429,7 @@ multipole-accelerated algorithm.") (file-name (string-append name "-" version ".tar.gz")) (sha256 (base32 - "0pvk57z2pxz89pcwwm61lkpvj4w9qxqz8mi0zkpj6pnaljabp7bf")))) + "15rwjp4xdj9w1z9f709rz9p0k2mi9k9idma9hvzkj5j8p04mg7yd")))) (build-system gnu-build-system) (arguments `(#:phases diff --git a/gnu/packages/erlang.scm b/gnu/packages/erlang.scm index cf4d7a595..1a575a0fd 100644 --- a/gnu/packages/erlang.scm +++ b/gnu/packages/erlang.scm @@ -46,7 +46,7 @@ (file-name (string-append name "-" version ".tar.gz")) (sha256 (base32 - "1azjjyb743i6vjq7rnh5qnslsqg0x60a9zrlhg9n3dpm13z1b22l")) + "11xp6vv1v7iay9dg1xc6xm7izfsanbn5pgwp96ba0j1fmlkhjw92")) (patches (search-patches "erlang-man-path.patch")))) (build-system gnu-build-system) (native-inputs diff --git a/gnu/packages/fonts.scm b/gnu/packages/fonts.scm index b65d3a9e9..9975c73a2 100644 --- a/gnu/packages/fonts.scm +++ b/gnu/packages/fonts.scm @@ -1026,7 +1026,7 @@ monospace, slab-serif fonts.") version ".tar.gz")) (sha256 (base32 - "183n0qv3q8w6n27libarq1fhc4mqv2d3sasbfmbn7x9r5pw9c6ga")) + "018i3za9r6kf6svci33z09lc5pr5yz4164m8gzzwjzzqcrng0p5j")) (file-name (string-append name "-" version ".tar.gz")))) (build-system font-build-system) (home-page "http://google.github.io/material-design-icons") diff --git a/gnu/packages/graphics.scm b/gnu/packages/graphics.scm index 8e3c5563f..3ffb4dd25 100644 --- a/gnu/packages/graphics.scm +++ b/gnu/packages/graphics.scm @@ -244,7 +244,7 @@ exception-handling library.") "/archive/v" version ".tar.gz")) (sha256 (base32 - "1ab354bmwwryxr4zgxchfkm6h4z38mjgif8yn89x640rsrgw5ipj")) + "1p0c91cc7zg3c00wjaibnxb0a0xm14mkg0h65pzpw93m0d6nc8wd")) (file-name (string-append name "-" version ".tar.gz")))) (build-system cmake-build-system) (arguments diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm index 95fba20e8..45cb16f1f 100644 --- a/gnu/packages/java.scm +++ b/gnu/packages/java.scm @@ -2299,7 +2299,7 @@ more.") "plexus-interpolation-" version ".tar.gz")) (sha256 (base32 - "1w79ljwk42ymrgy8kqxq4l82pgdj6287gabpfnpkyzbrnclsnfrp")))) + "03377yzlx5q440m6sxxgv6a5qb8fl30zzcgxgc0hxk5qgl2z1jjn")))) (build-system ant-build-system) (arguments `(#:jar-name "plexus-interpolation.jar" @@ -4429,7 +4429,7 @@ StringTemplate also powers ANTLR.") (file-name (string-append name "-" version ".tar.gz")) (sha256 (base32 - "07zff5frmjd53rnqdx31h0pmswz1lv0p2lp28cspfszh25ysz6sj")))) + "0218v683081lg54z9hvjxinhxd4dqp870jx6n39gslm0bkyi4vd6")))) (build-system ant-build-system) (arguments `(#:jar-name (string-append ,name "-" ,version ".jar") diff --git a/gnu/packages/serialization.scm b/gnu/packages/serialization.scm index 186692612..c66e814e5 100644 --- a/gnu/packages/serialization.scm +++ b/gnu/packages/serialization.scm @@ -247,7 +247,7 @@ that implements both the msgpack and msgpack-rpc specifications.") "yaml-cpp-" version ".tar.gz")) (sha256 (base32 - "1vk6pjh0f5k6jwk2sszb9z5169whmiha9ainbdpa1arxlkq7v3b6")))) + "1ck7jk0wjfigrf4cgcjqsir4yp1s6vamhhxhpsgfvs46pgm5pk6y")))) (build-system cmake-build-system) (arguments '(#:configure-flags '("-DBUILD_SHARED_LIBS=ON"))) diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm index 38756f06c..c3f6a8500 100644 --- a/gnu/packages/version-control.scm +++ b/gnu/packages/version-control.scm @@ -363,7 +363,7 @@ everything from small to very large projects with speed and efficiency.") (file-name (string-append name "-" version ".tar.gz")) (sha256 (base32 - "1fdk9yhwvl1w1z71ykzcvgh4nsf8scxcbclz5anh98zpplmhmisa")) + "1b3figbhp5l83vd37vq6j2narrq4yl9pfw6mw0px0dzb1hz3jqka")) (patches (search-patches "libgit2-0.25.1-mtime-0.patch")))) (build-system cmake-build-system) (outputs '("out" "debug")) -- 2.14.1 --=-=-= Content-Type: text/plain Content-Disposition: attachment Content-Description: (fiasco finder) module (define-module (fiasco finder) #:use-module (ice-9 control) #:use-module (ice-9 match) #:use-module (ice-9 popen) #:use-module (ice-9 regex) #:use-module (ice-9 textual-ports) #:use-module (gnu packages) #:use-module (guix base32) #:use-module (guix build utils) #:use-module (guix download) #:use-module ((guix build download) #:select (url-fetch) #:prefix build:) #:use-module (guix download) #:use-module (guix packages) #:use-module (guix scripts download) #:use-module (guix scripts hash) #:use-module (guix store) #:use-module (guix ui) #:use-module (srfi srfi-1) #:use-module (srfi srfi-9) #:use-module (srfi srfi-19) #:export (result result? result-package-name result-package-version result-guix-hash result-upstream-hash result-hash-ok? result-safe-to-update? result-date result->package results-dir results-file results-file->results results->results-file purge-deprecated-results! find-problematic-packages)) ;;; Commentary: Finds GitHub packages whose hash got broken. ;;; Requirements: tar and diff command line tools. ;; Workaround Geiser bug #83 (see: ;; https://github.com/jaor/geiser/issues/83) (guix-warning-port (current-warning-port)) ;;; ;;; Parameters to configure. ;;; (define substitute-urls (make-parameter (cons* "https://berlin.guixsd.org" "https://bayfront.guixsd.org" %default-substitute-urls))) (define results-dir (make-parameter (string-append (getenv "HOME") "/src/guile-hacks/fiasco"))) (define results-file (make-parameter (string-append (results-dir) "/results.txt"))) (define tar-diff-dir (make-parameter (string-append (results-dir) "/tar-diffs"))) ;;; ;;; Data structures and supporting functions. ;;; (define-record-type (make-result package-name package-version guix-hash upstream-hash hash-ok? safe-to-update? date) result? (package-name result-package-name) (package-version result-package-version) (guix-hash result-guix-hash) (upstream-hash result-upstream-hash) (hash-ok? result-hash-ok?) (safe-to-update? result-safe-to-update?) (date result-date)) (define (result->sexp result) (list (result-package-name result) (result-package-version result) (result-guix-hash result) (result-upstream-hash result) (result-hash-ok? result) (result-safe-to-update? result) (result-date result))) (define (sexp->result sexp) (match sexp ((package-name package-version guix-hash upstream-hash safe-to-update? result-hash-ok? date) (make-result package-name package-version guix-hash upstream-hash safe-to-update? result-hash-ok? date)))) (define (results-file->results file) "Read the results from FILE and return the list of result records." (with-input-from-file file (lambda () (let loop ((line (read (current-input-port)))) (if (eof-object? line) '() (cons (sexp->result line) (loop (read (current-input-port))))))))) (define (result-package-exist? result) "Return the package referred to by RESULT or #f if it doesn't exist." (let* ((name (result-package-name result)) (version (result-package-version result)) (packages (find-best-packages-by-name name version))) (not (null? packages)))) (define (result->package result) "Return the package referred to by RESULT or null if it doesn't exist." (let* ((name (result-package-name result)) (version (result-package-version result)) (packages (find-best-packages-by-name name version))) (if (null? packages) (begin (warn (format #f "The package ~a, version ~a is no longer in Guix" name version)) '()) (first packages)))) (define (results->results-file results file) "Overwrite the FILE content with the RESULTS." (with-output-to-file file (lambda () (for-each (lambda (result) (write (result->sexp result) (current-output-port)) (display "\n" (current-output-port))) results)))) (define (resultresults file)) (valid-results (sort (filter result-package-exist? all-results) resultresults-file valid-results file))) ;;; ;;; Functions and procedures. ;;; (define (packagepackage (results-file->results file))) '())) (define (origin->nix-base32-bash origin) (bytevector->nix-base32-string (origin-sha256 origin))) (define (origin->download-uri-suffix origin) "Form the suffix part of the URI of a downloadable substitute file." (let ((file-name (origin-actual-file-name origin)) (hash (origin->nix-base32-bash origin))) (string-append "/file/" file-name "/sha256/" hash))) (define* (download-substitute package file) "Download the substitute of PACKAGE and return it as FILE, or #f if the substitute could not be downloaded." (let* ((origin (package-source package)) (download-uri-suffix (origin->download-uri-suffix origin))) (let/ec return (for-each (lambda (url) ;; Do not verify certificate to work around bug#28810. (let* ((uri (string-append url download-uri-suffix)) (file (build:url-fetch uri file #:verify-certificate? #f))) (when file (return file)))) ;abort loop (substitute-urls)) (warn "Failed to download a substitute for package: " (package-name package)) #f))) (define (file-hash file) "Return the nix-base32 string corresponding to the sha256 hash of FILE." (and file (string-trim-both (with-output-to-string (lambda () (guix-hash file)))))) (define (compare-tar-archives archive1 archive2) "Return #f if the archives content is the same. Otherwise, a string detailing the differences is returned." (let* ((tmpdir (tmpnam)) (subdir1 (string-append tmpdir "/archive1")) (subdir2 (string-append tmpdir "/archive2")) (name1 (basename archive1)) (name2 (basename archive2)) (diff-file (string-append (tar-diff-dir) "/" name1 "-" name2 ".diff"))) (define (untar archive-file dest-dir) (unless (zero? (system* "tar" "-C" dest-dir "-xf" archive-file)) (error "Failed to extract archive: " archive-file))) (mkdir-p subdir1) (mkdir-p subdir2) (mkdir-p (tar-diff-dir)) (untar archive1 subdir1) (untar archive2 subdir2) ;; Use --no-dereference to prevent diff failing on broken ;; symlinks that archives may contain (e.g. antlr3). (let* ((input-pipe (open-pipe* OPEN_READ "diff" "-r" "--no-dereference" subdir1 subdir2)) (output (get-string-all input-pipe)) (exit-val (status:exit-val (close-pipe input-pipe)))) (case exit-val ((0) #f) ((1) (with-output-to-file diff-file (lambda () (display output))) (format #t "Diff saved to ~a:~%~a~%" diff-file output)) (else (error "diff failed comparing the folders: " subdir1 subdir2 "exit status: " exit-val)))))) (define (hash-ok? hash1 hash2) (and (string? hash1) (string? hash2) (string=? hash1 hash2))) (define (check-package-hash package) "Verify the hash of a package and return a object. Assumes the definition of PACKAGE contains an origin using the url-fetch method and a base32 encoded sha256 hash." (let* ((date (date->string (current-date))) (name (package-name package)) (version (package-version package)) (origin (package-source package)) (tmpdir (tmpnam)) (tmpdir! (mkdir-p tmpdir)) (file-name (origin-actual-file-name origin)) (upstream-archive (string-append tmpdir "/upstream-" file-name)) (substitute-archive (string-append tmpdir "/substitute-" file-name)) (uri (origin-uri origin)) (guix-hash (origin->nix-base32-bash origin)) (upstream-hash (file-hash (build:url-fetch uri upstream-archive))) (hash-ok? (hash-ok? upstream-hash guix-hash)) (substitute (and upstream-hash ;stop if false (not hash-ok?) (download-substitute package substitute-archive))) (safe-to-update? (if hash-ok? #f ;false here means 'no need to update' (and substitute ;stop here if we don't have a substitute (not (compare-tar-archives upstream-archive substitute-archive)))))) (make-result name version guix-hash upstream-hash hash-ok? safe-to-update? date))) ;;; ;;; Main program ;;; (define (find-problematic-packages) "Find and print the names of the potentially problematic GitHub packages." (define (print-packages packages) (for-each (lambda (name) (format #t "~a~%" name)) (map package-name packages)) (format #t "~%")) (define (verify-package-hash package) (format #t "~%~a verifying package hash...~%" (package-name package)) (let* ((result (check-package-hash package)) (name (result-package-name result)) (guix-hash (result-guix-hash result)) (upstream-hash (result-upstream-hash result)) (hash-ok? (result-hash-ok? result))) (format #t "~a Guix hash: ~s~%" name guix-hash) (format #t "~a upstream hash: ~s~%" name upstream-hash) (if hash-ok? (format #t "~a hash OK~%" name) (format #t "~a hash NOK~%" name)) (cond (hash-ok? #t) ;no-op ((result-safe-to-update? result) (format #t "~a hash can be safely updated~%" name)) (else (format #t "~a requires manual verification~%" name))) ;; Append result to results file. (let ((results-file (open-file (results-file) "a"))) (dynamic-wind (lambda () #f) (lambda () (write (result->sexp result) results-file) (display "\n" results-file)) (lambda () (close results-file)))))) (let* ((problematic-github-packages (problematic-github-packages)) (already-checked-packages (already-checked-packages))) (format #t "Number of potentially problematic GitHub packages: ~a~%" (length problematic-github-packages)) ;;(print-packages problematic-github-packages) (unless (null? already-checked-packages) (format #t "Skipping ~a already checked packages~%" (length already-checked-packages))) (for-each verify-package-hash (lset-difference eq? problematic-github-packages already-checked-packages)))) --=-=-= Content-Type: text/plain Content-Disposition: attachment Content-Description: fiasco runner ;;; Script that detects problematic github packages. ;;; To run, use something like this in the "fiasco" dir: ;;; ~/src/guix/pre-inst-env guile -L . main.scm (use-modules (fiasco finder) (fiasco fixer)) (define (main) ;; You may select a different results-dir by parameterizing it ;; differently below. More parameters available to configure can be ;; found in (fiasco finder). (parameterize ((results-dir (string-append (getenv "HOME") "/src/guile-hacks/fiasco"))) (find-problematic-packages) (fix-packages-hash))) (main) --=-=-= Content-Type: text/plain Content-Disposition: attachment Content-Description: (fiasco fixer) module (define-module (fiasco fixer) #:use-module (fiasco finder) #:use-module (guix base32) #:use-module (guix upstream) #:export (fix-packages-hash)) ;;; Commentary: ;;; ;;; Repair the packages whose hash can be safely updated, as found by ;;; the finder script. This should be run from a checkout of the Guix ;;; source tree, e.g. as "./pre-inst-guix guile ~/src/guile-hacks/fiasco/run.scm (define (result-needs-checking? result) (and (not (result-hash-ok? result)) (not (result-safe-to-update? result)))) (define* (fix-packages-hash #:optional (file (results-file))) "Correct the packages whose hash can be safely updated, based on data in FILE." (let* ((results (results-file->results file)) (results-to-check (filter result-needs-checking? results)) (actionable-results (filter result-safe-to-update? results))) (define (update-package-hash result) (when (not (null? (result->package result))) (let* ((package (result->package result)) (name (result-package-name result)) (version (result-package-version result)) (old-hash (result-guix-hash result)) (new-hash (result-upstream-hash result)) (new-hash-bv (nix-base32-string->bytevector new-hash))) (format #t "~a: updating hash from ~s to ~s..." name old-hash new-hash) (if (update-package-source package version new-hash-bv) (format #t " success~%") (format #t " failed~%"))))) (format #t "The following packages require manual verification:~%") (for-each (lambda (r) (format #t "~a version ~a~%" (result-package-name r) (result-package-version r))) results-to-check) (display "\n") (format #t "Attempting to repair the hashes of ~a packages...~%" (length actionable-results)) (for-each update-package-hash actionable-results))) --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 20 17:04:49 2017 Received: (at 28745-done) by debbugs.gnu.org; 20 Oct 2017 21:04:49 +0000 Received: from localhost ([127.0.0.1]:52832 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e5eTJ-0006Um-By for submit@debbugs.gnu.org; Fri, 20 Oct 2017 17:04:49 -0400 Received: from hera.aquilenet.fr ([141.255.128.1]:41880) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e5eTH-0006Uc-JX for 28745-done@debbugs.gnu.org; Fri, 20 Oct 2017 17:04:48 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 8A412EDC7; Fri, 20 Oct 2017 23:04:47 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T9AEghMAfffm; Fri, 20 Oct 2017 23:04:46 +0200 (CEST) Received: from ribbon (unknown [IPv6:2a01:e0a:1d:7270:6a6c:dc17:fc02:cfda]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 4DB01DCB5; Fri, 20 Oct 2017 23:04:46 +0200 (CEST) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Maxim Cournoyer Subject: Re: bug#28745: [PATCH] tarballs generated on github are generated on demand (leading to different hash sums) References: <20171008114009.3tyhcuioaau6tlya@abyayala> <87k1zv7pos.fsf@gmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 29 =?utf-8?Q?Vend=C3=A9miaire?= an 226 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Fri, 20 Oct 2017 23:04:43 +0200 In-Reply-To: <87k1zv7pos.fsf@gmail.com> (Maxim Cournoyer's message of "Sun, 15 Oct 2017 23:10:43 -0400") Message-ID: <871slxcyz8.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 28745-done Cc: bug#28745 <28745-done@debbugs.gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Hi, Maxim Cournoyer skribis: > I could finish a script that helped me finding all of our affected > packages, verify that only the hash but not the content of the archives > had changed, as well as automate the hash update for those safe to > update. Great job! > Attached is the patch and the scripts I used. I think we might > want to reuse some of it to extend guix lint to warn packagers that > archives coming from .*github.*archives URL are not guaranteed to be > stable and that it would be better, if available, to use manually > uploaded releases archives. Unfortunately, it=E2=80=99s become commonplace to publish nothing else than= a Git tag. Now, in those cases, we could also use =E2=80=98git-fetch=E2=80= =99, which wouldn=E2=80=99t be affected by problems with generated tarballs. Thoughts? > PS: I've also uploaded the scripts here: > https://notabug.org/apteryx/fiasco for ease of cloning. Any comments > about my nascent (ab)use of Scheme are welcome! The code looks nice! > From 774a764149ecb0e234ae09c9a0a273af671c3c86 Mon Sep 17 00:00:00 2001 > From: Maxim Cournoyer > Date: Sun, 15 Oct 2017 22:17:12 -0400 > Subject: [PATCH] gnu: packages: Fix the hashes of mutated GitHub archives. > > Fixes bug https://bugs.gnu.org/28745. > > * gnu/packages/audio.scm (csound): Fix hash. > * gnu/packages/engineering.scm (fritzing): Likewise. > * gnu/packages/erlang.scm (erlang): Likewise. > * gnu/packages/fonts.scm (font-google-material-design-icons): Likewise. > * gnu/packages/graphics.scm (ogre): Likewise. > * gnu/packages/java.scm (java-plexus-interpolation, antlr3): Likewise. > * gnu/packages/serialization.scm (yaml-cpp): Likewise. > * gnu/packages/version-control.scm (libgit2): Likewise. I=E2=80=99ve checked the hashes by running: ./pre-inst-env guix build -S --no-substitutes csound fritzing erlang \ font-google-material-design-icons ogre java-plexus-interpolation \ antlr3 yaml-cpp libgit2 --max-jobs=3D2 and everything went well. Pushed as fd75eb6cd4e5c689f9e6ce7dd8d87f423778d308, thanks! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 21 23:13:45 2017 Received: (at 28745-done) by debbugs.gnu.org; 22 Oct 2017 03:13:45 +0000 Received: from localhost ([127.0.0.1]:54828 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e66ht-0004mZ-11 for submit@debbugs.gnu.org; Sat, 21 Oct 2017 23:13:45 -0400 Received: from mail-it0-f49.google.com ([209.85.214.49]:53905) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e66hr-0004mN-FD for 28745-done@debbugs.gnu.org; Sat, 21 Oct 2017 23:13:43 -0400 Received: by mail-it0-f49.google.com with SMTP id n195so2523773itg.2 for <28745-done@debbugs.gnu.org>; Sat, 21 Oct 2017 20:13:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=MIsGGCrmKBXHGQUro+W6Che8//QB1A9uE4Gdut7hVI8=; b=a7xYBvlVAyheJLDr2bV12zbVuo0/+6e6TgcmqqqDwP7F5AfEGEN4onB337oHiguIsE esMUJVMTOL+bhVSlCU3lCWwV978elt2aPH6vfnZwBl8K2a+g+X8jXwYbeRPPtZwpbYaG EFXr/4wjPvp/RTpwRA9/IyoBqoHp8hNpJfqWqB/Po/2v7pi5tPE9ZG0VwJOg0unj0h2s RFxo1JrzMesPIoHJH2S3rnuTh/qV80zDrWNZbTp45lvxsZGoHLYrKI+VVe93U4zziR5p MWIzzsBsaieqarf9mUNfmAp5NqGpcnc+xxB77DMqHXEI+i7CtzOacVum/bwrvVRP5WgY aE5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-transfer-encoding; bh=MIsGGCrmKBXHGQUro+W6Che8//QB1A9uE4Gdut7hVI8=; b=F3FlE3o+MXrSl9S70xBp2xPCi7bHQYE9iat3pZt95hSMFmCs4ZSuopoBKKVXBL0H9t UVBenhz2F0e7l/+bu61T/8vXU4ADS558Zsly2Qglptrk2Ut38vZR+oYWTupOXmYb9Kf0 k44NqtEeAjrrI95a8JGQvzcb0SzPiXSQZpq68BVMg0udA4meeLmrzteaiQxqc5IIDNbZ 70axfK5mtSJxGoXrfx3KKWzO+w41+Xyr94JeBQrCs2v5mc0hKT/MqexcZGgyfw5p4GBr YoXPMqkCMttmJpPqonxAIrDn8WD5QZACNLzQsvsdMMF4FUMN9+o+SZmRqpSA00wtvZv9 RVTw== X-Gm-Message-State: AMCzsaW7YlPkp+HjPpCZGpplATQbdL5tcZ4z7dsi2XXKTB65Ho5Gs8aP DXwx1ajJL+m6SjST1IfSoatZ3w== X-Google-Smtp-Source: ABhQp+SI81vlHncOIuNVmEdC+kHF5TKcqKPZzxVui/CfFHG0iVyqZETi+Xszdh1YW+ckxB4uqz3UVw== X-Received: by 10.36.216.70 with SMTP id b67mr4209475itg.131.1508642017691; Sat, 21 Oct 2017 20:13:37 -0700 (PDT) Received: from apteryx ([24.140.229.228]) by smtp.gmail.com with ESMTPSA id s16sm1061050itb.15.2017.10.21.20.13.36 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 21 Oct 2017 20:13:37 -0700 (PDT) From: Maxim Cournoyer To: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: bug#28745: [PATCH] tarballs generated on github are generated on demand (leading to different hash sums) References: <20171008114009.3tyhcuioaau6tlya@abyayala> <87k1zv7pos.fsf@gmail.com> <871slxcyz8.fsf@gnu.org> Date: Sat, 21 Oct 2017 23:13:36 -0400 In-Reply-To: <871slxcyz8.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Fri, 20 Oct 2017 23:04:43 +0200") Message-ID: <87y3o350yn.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.5 (/) X-Debbugs-Envelope-To: 28745-done Cc: bug#28745 <28745-done@debbugs.gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.5 (/) ludo@gnu.org (Ludovic Court=C3=A8s) writes: > Maxim Cournoyer skribis: > [...] > >> Attached is the patch and the scripts I used. I think we might >> want to reuse some of it to extend guix lint to warn packagers that >> archives coming from .*github.*archives URL are not guaranteed to be >> stable and that it would be better, if available, to use manually >> uploaded releases archives. > > Unfortunately, it=E2=80=99s become commonplace to publish nothing else th= an a > Git tag. Now, in those cases, we could also use =E2=80=98git-fetch=E2=80= =99, which > wouldn=E2=80=99t be affected by problems with generated tarballs. > > Thoughts? I think the status quo is reasonable for now; if this becomes a recurring problem we can reopen the issue and do something more about it. >> PS: I've also uploaded the scripts here: >> https://notabug.org/apteryx/fiasco for ease of cloning. Any comments >> about my nascent (ab)use of Scheme are welcome! > > The code looks nice! OK, that's reassuring! :) > >> From 774a764149ecb0e234ae09c9a0a273af671c3c86 Mon Sep 17 00:00:00 2001 >> From: Maxim Cournoyer >> Date: Sun, 15 Oct 2017 22:17:12 -0400 >> Subject: [PATCH] gnu: packages: Fix the hashes of mutated GitHub archive= s. >> >> Fixes bug https://bugs.gnu.org/28745. >> >> * gnu/packages/audio.scm (csound): Fix hash. >> * gnu/packages/engineering.scm (fritzing): Likewise. >> * gnu/packages/erlang.scm (erlang): Likewise. >> * gnu/packages/fonts.scm (font-google-material-design-icons): Likewise. >> * gnu/packages/graphics.scm (ogre): Likewise. >> * gnu/packages/java.scm (java-plexus-interpolation, antlr3): Likewise. >> * gnu/packages/serialization.scm (yaml-cpp): Likewise. >> * gnu/packages/version-control.scm (libgit2): Likewise. > > I=E2=80=99ve checked the hashes by running: > > ./pre-inst-env guix build -S --no-substitutes csound fritzing erlang \ > font-google-material-design-icons ogre java-plexus-interpolation \ > antlr3 yaml-cpp libgit2 --max-jobs=3D2 > > and everything went well. > > Pushed as fd75eb6cd4e5c689f9e6ce7dd8d87f423778d308, thanks! > > Ludo=E2=80=99. Thanks! Maxim From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 22 06:48:39 2017 Received: (at 28745-done) by debbugs.gnu.org; 22 Oct 2017 10:48:39 +0000 Received: from localhost ([127.0.0.1]:54943 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e6Do7-0007iQ-3C for submit@debbugs.gnu.org; Sun, 22 Oct 2017 06:48:39 -0400 Received: from sender-of-o51.zoho.com ([135.84.80.216]:21140) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e6Do4-0007iG-Ff for 28745-done@debbugs.gnu.org; Sun, 22 Oct 2017 06:48:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1508669287; s=zoho; d=elephly.net; i=rekado@elephly.net; h=References:From:To:Cc:Subject:In-reply-to:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; l=595; bh=Z0I7yZkSr5UqAM7cLCd4U4zsloM9DXS512noxXG6R6g=; b=Cfwp5+fAU6UukiDGOrcieirSByd9BuMnPd7eku4JtXwC5FII7peU989+wTS91xrJ KTzewPVsnkIJUZmzVFgTxCQo/j/msek7P+O8OmpYtTI2sK4a+a/x6TOzN6Dqd17ZbPx 3wSFV72k7aMXg+Skhqc5UIazUZcz1j1aVpETGAK8= Received: from localhost (port-92-200-48-141.dynamic.qsc.de [92.200.48.141]) by mx.zohomail.com with SMTPS id 1508669287425349.38738840946894; Sun, 22 Oct 2017 03:48:07 -0700 (PDT) References: <20171008114009.3tyhcuioaau6tlya@abyayala> <87k1zv7pos.fsf@gmail.com> <871slxcyz8.fsf@gnu.org> User-agent: mu4e 0.9.18; emacs 25.3.1 From: Ricardo Wurmus To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#28745: [PATCH] tarballs generated on github are generated on demand (leading to different hash sums) In-reply-to: <871slxcyz8.fsf@gnu.org> X-URL: https://elephly.net X-PGP-Key: https://elephly.net/rekado.pubkey X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC Date: Sun, 22 Oct 2017 12:48:04 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-ID: <871slvv4pn.fsf@elephly.net> X-ZohoMailClient: External X-Spam-Score: -2.8 (--) X-Debbugs-Envelope-To: 28745-done Cc: bug#28745 <28745-done@debbugs.gnu.org>, Maxim Cournoyer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.8 (--) Ludovic Court=C3=A8s writes: > Unfortunately, it=E2=80=99s become commonplace to publish nothing else th= an a > Git tag. Now, in those cases, we could also use =E2=80=98git-fetch=E2=80= =99, which > wouldn=E2=80=99t be affected by problems with generated tarballs. > > Thoughts? For a couple of packages I=E2=80=99ve already started using git-fetch with = the tag (instead of the commit hash). I think that=E2=80=99s preferable over u= sing auto-generated tarballs. -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net From unknown Sat Jun 14 19:38:44 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sun, 19 Nov 2017 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator