From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 02 16:00:56 2017 Received: (at 28659) by debbugs.gnu.org; 2 Oct 2017 20:00:56 +0000 Received: from localhost ([127.0.0.1]:44569 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dz6tb-0004dA-Om for submit@debbugs.gnu.org; Mon, 02 Oct 2017 16:00:55 -0400 Received: from eggs.gnu.org ([208.118.235.92]:50435) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dz6tZ-0004cx-Oc for 28659@debbugs.gnu.org; Mon, 02 Oct 2017 16:00:54 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dz6tT-00070j-JV for 28659@debbugs.gnu.org; Mon, 02 Oct 2017 16:00:48 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:46648) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dz6tK-0006vF-08; Mon, 02 Oct 2017 16:00:38 -0400 Received: from vpn-0-27.aquilenet.fr ([2a01:474:4:27::]:60086 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dz6tJ-0001tZ-6o; Mon, 02 Oct 2017 16:00:37 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: bug#28659: v0.13: guix pull fails; libgit2-0.26.0 and 0.25.1 content hashes fail References: <877ewf18d4.fsf@gnu.org> <87o9ppoabw.fsf@gnu.org> <20171002182208.GB10773@jasmine.lan> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 11 =?utf-8?Q?Vend=C3=A9miaire?= an 226 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 02 Oct 2017 22:00:33 +0200 In-Reply-To: <20171002182208.GB10773@jasmine.lan> (Leo Famulari's message of "Mon, 2 Oct 2017 14:22:08 -0400") Message-ID: <878tgt721q.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 28659 Cc: 28659@debbugs.gnu.org, Jan Nieuwenhuizen X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Leo Famulari skribis: > On Mon, Oct 02, 2017 at 05:09:39PM +0200, Ludovic Court=C3=A8s wrote: >> What=E2=80=99s sad here is that we do have the right tarball at: >>=20 >> https://mirror.hydra.gnu.org/file/libgit2-0.25.1.tar.gz/sha256/1cdwcw3= 8frc1wf28x5ppddazv9hywc718j92f3xa3ybzzycyds3s Just to be clear: this URL is not that of a substitute, but that of a content-addressed file (corresponding to the output of a fixed-output derivation.) > It seems to me that there are several reasons someone may choose not to > use substitutes. Some of those reasons (reproducibility and security > concerns) are obviated for fixed-output derivations like upstream > sources, and I think it would be fine to still use substitutes for these > derivations. > > But the motivations of privacy, self-sufficiency, etc are not addressed > by that idea. Right. Jan suggested checking the content-addressed mirrors *before* the real upstream address. That would address the problem of upstream sources modified in-place, but at the cost of privacy/self-sufficiency as you note. (Though it=E2=80=99s not really making =E2=80=9Cprivacy=E2=80= =9D any worse in this case: it=E2=80=99s gnu.org vs. github.com.) Perhaps we should make content-addressed mirrors configurable in a way that=E2=80=99s orthogonal to derivations, something similar in spirit to --substitute-urls? The difficulty is that content-addressed mirrors are not just URLs; see (guix download). Thoughts? Ludo=E2=80=99.