[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#36614: rust@1.36's hash is incorrect.

From: Tobias Geerinckx-Rice
Subject: bug#36614: rust@1.36's hash is incorrect.
Date: Fri, 12 Jul 2019 19:26:07 +0200


Ivan Petkov wrote:
My apologies, this was all partly my fault. I do have the old source lying around, diffing the two (attached) reveals that the changelog and one source
file actually changed.

A bit more detailed context:
The rust project makes pre-release sources available for testing ahead of the formal release, and the process is meant to shake out any potential bugs. I tested with the prerelease build originally, and after the real release came out I updated the package URL to the formal release and immediately
rebuilt successfully.

No apologies necessary. It's nice to know that our Rust updates will always follow swiftly on the heels of upstream as long as you take care of them. However, please make sure to check the signature (.asc) once the final release is cut; one never knows...

I'm not 100% sure if maybe guix reused the cached tarball I had from earlier, or whether the prerelease source was immediately upgraded to the formal release and fixed shortly after. (I did try rebuilding right before pushing the change out which succeeded with no changes, which I'm guessing is because guix did not redownload the tarball and why I didn't notice the hash mismatch).

Yes, this is exactly what happened. I consider this is a feature of Guix, even though it can feel like a gotcha sometimes. :-)

We often tend to think of the source URL(s) as an ‘identifier’ of the source file. However, it is nothing more than a hint about its *location*. The only authoritative identifier of its *content* is the hash: to get *this file* (content hash), try looking *here* (location: URL).

One origin may have 0 or more source URLs: Guix will try them all until it downloads something matching the hash (and if even that fails it will try some implicit ones like tarballs.nixos.org).

   ‘Unique’ identifier (hash)
     ├ maybe you can *find* it here (URL)
     ├ or here (another URL)
     ├ hell maybe here I don't know (yet another URL)
Guix cares only about the content of the file; it doesn't care or even remember how it got it. Or: if you change the download hint (release URL in this case), Guix won't care, because you didn't change the hash.

I hope that makes some sense,


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]