GNU bug report logs - #52591
downloading from software archives as default even if version is wrong

Previous Next

Package: guix;

Reported by: Andy Tai <lichengtai <at> gmail.com>

Date: Fri, 17 Dec 2021 23:42:02 UTC

Severity: normal

Full log

View this message in rfc822 format

From: Maxime Devos <maximedevos <at> telenet.be>
To: Andy Tai <lichengtai <at> gmail.com>, 52591 <at> debbugs.gnu.org
Subject: bug#52591: downloading from software archives as default even if version is wrong
Date: Fri, 17 Dec 2021 23:58:20 +0000

Andy Tai schreef op vr 17-12-2021 om 15:40 [-0800]:
> @@ -38,7 +38,7 @@ (define-module (gnu packages mono)
>  (define-public mono
>    (package
>      (name "mono")
> -    (version "4.4.1.0")
> +    (version "4.8.1")
>      (source (origin
>                (method url-fetch)
>                (uri (string-append
> --end of patch--

You forgot to update the sha256 hash. You can use
"guix download https://the-website/mono-4.8.1.tar.bz2" to determine the
hash. Or toggle a single character & look at the hash mismatch line.

Does that work for you?

[...]
> as seen above, somehow the old version was downloaded from a cached
> copy at softwareheritage archives, and it proceeds to build.   This
> should not proceed but fail for wrong checksum.

SWH isn't a cache, its an archive that keeps everything forever.

Guix has no way to determine if upstream is doing unspeakable things to
their tarballs (*) and hence needs to use SWH, or if someone forgot to
change the hash on guix. This has been noticed in the past, without
any ideas on how to somehow teach guix to determine the case.

(*) e.g. in-place modification, which changes the hash

Greetings,
Maxime.
This bug report was last modified 3 years and 179 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.