[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Be careful with PyPI
From: |
Leo Famulari |
Subject: |
Re: Be careful with PyPI |
Date: |
Sun, 8 Jan 2023 13:47:57 -0500 |
On Fri, Jan 06, 2023 at 03:36:38PM +0100, zimoun wrote:
> If the origin does not exist upstream, then Guix try other servers as
> fallback. For instance,
[...]
> downloading from
> https://tarballs.nixos.org/sha256/1j8bsqzh49vjdxy6l1k4iwax5vpjzniynyd041xjavdzvfii1dlh
> ...
> One potential issue is that the tarballs.nixos.org is using the checksum
> as lookup key. Therefore, when modifying only the version and not the
> checksum, the something is returned with an inconsistent name/content.
Many of us discover this behaviour the hard way. It's not just about
PyPi: this can happen with any download, unless something changed.
Thanks for the detailed explanation!