[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How do I verify my hashes?

From: Vagrant Cascadian
Subject: Re: How do I verify my hashes?
Date: Sat, 09 Jul 2022 21:13:08 -0700

On 2022-07-09, wrote:
> Today Bonface mentioned to me that I should be cloning my packages and
> verifying the hashes with `git hash-object` or `git hash` iirc?

probably "guix hash"

> Do others do this when packaging?
> My workflow currently is the lazy way:
> 1. I change the version in the package definition.
> 2. build the package
> 3. package blows up on stdout
> 4. I retrieve the hash and add it
> 5. profit!

Profit, for whom? Whoever injected the cryptocurrency malware? :P

My workflow for git-based things is typically:

1. git clone && cd someproject

2. git co -b VERSION-local VERSION


4. git clean -dfx # make sure the working tree is totally clean

5. guix hash -rx .

Step 3, even if I don't completely understand the code, I can at least
check for (problematic) license changes or maybe something "obviously"

Similar steps for tarballs-based projects, though you may need to unpack
and/or diffoscope the sources for step 3.

I don't have a good idea how to verify pypi or similar origins... but
you could at least double-check the sources of the old and new versions
with something like:

1. guix build --source # before you update the hash

2. update version, build, get new hash, update hash ...

3. guix build --source # after updating the hash


And do a best effort check for issues...

live well,

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]