[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: guix hash of source from git repository.

From: Leo Famulari
Subject: Re: guix hash of source from git repository.
Date: Tue, 21 Feb 2017 17:21:02 -0500
User-agent: Mutt/1.7.2 (2016-11-26)

On Tue, Feb 21, 2017 at 09:56:29PM +0000, ng0 wrote:
> On 17-02-21 22:25:35, Catonano wrote:
> Please avoid doing the way described below though. Calculating it in
> advance is more secure and helps to prevent introducing errors. If
> there's a mismatch it shows an error.
> > Another option is to try to build the package with the wrong hash, wait for
> > the error message and copy the right hash from within the error message
> > itself. Lame, but hey

I agree with ng0. We should not do this when creating Guix packages.

The guix download code has a relatively rare "network signature" when
compared to things like a web browser or wget.

Someone could serve a different file when they detect use of the Guix
download tool, and if this makes it into a package definition, all of
our users would end up with the wrong software.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]