Re: Be careful with PyPI

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Be careful with PyPI

From:	Leo Famulari
Subject:	Re: Be careful with PyPI
Date:	Sun, 8 Jan 2023 13:47:57 -0500

On Fri, Jan 06, 2023 at 03:36:38PM +0100, zimoun wrote:
> If the origin does not exist upstream, then Guix try other servers as
> fallback.  For instance,
[...]
> downloading from 
> https://tarballs.nixos.org/sha256/1j8bsqzh49vjdxy6l1k4iwax5vpjzniynyd041xjavdzvfii1dlh
>  ...

> One potential issue is that the tarballs.nixos.org is using the checksum
> as lookup key.  Therefore, when modifying only the version and not the
> checksum, the something is returned with an inconsistent name/content.

Many of us discover this behaviour the hard way. It's not just about
PyPi: this can happen with any download, unless something changed.

Thanks for the detailed explanation!

[Prev in Thread]

Current Thread

[Next in Thread]

Be careful with PyPI, zimoun, 2023/01/06
- Re: Be careful with PyPI, Leo Famulari <=

Prev by Date: Re: [PATCH] guix: channels: Add description field.
Next by Date: Golang go-updates feature branch?
Previous by thread: Be careful with PyPI
Next by thread: Re: Status of hibernation (suspend to disk) in Guix
Index(es):
- Date
- Thread