GNU bug report logs - #28659
Content-addressed mirror is not used upon invalid hash

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Severity: important; Reported by: Jan Nieuwenhuizen <janneke@HIDDEN>; dated Sun, 1 Oct 2017 10:17:02 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 15 Dec 2017 09:30:52 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Dec 15 04:30:51 2017
Received: from localhost ([127.0.0.1]:34613 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1ePmKL-000313-M9
	for submit <at> debbugs.gnu.org; Fri, 15 Dec 2017 04:30:51 -0500
Received: from hera.aquilenet.fr ([141.255.128.1]:54253)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1ePmKJ-00030t-26
 for 28659 <at> debbugs.gnu.org; Fri, 15 Dec 2017 04:30:44 -0500
Received: from localhost (localhost [127.0.0.1])
 by hera.aquilenet.fr (Postfix) with ESMTP id 794431024C;
 Fri, 15 Dec 2017 10:30:45 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
 by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 6vEuX9Wi0SxA; Fri, 15 Dec 2017 10:30:43 +0100 (CET)
Received: from ribbon (unknown [193.50.110.249])
 by hera.aquilenet.fr (Postfix) with ESMTPSA id 8A940DA55;
 Fri, 15 Dec 2017 10:30:43 +0100 (CET)
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Leo Famulari <leo@HIDDEN>
Subject: Always enable substitutes for fixed-output derivations
References: <877ewf18d4.fsf@HIDDEN> <87o9ppoabw.fsf@HIDDEN>
 <20171002182208.GB10773@HIDDEN> <878tgt721q.fsf@HIDDEN>
 <20171020211700.GA32355@HIDDEN> <87d1421qek.fsf@HIDDEN>
 <874lot9rou.fsf@HIDDEN>
Date: Fri, 15 Dec 2017 10:30:39 +0100
In-Reply-To: <874lot9rou.fsf@HIDDEN> ("Ludovic
 \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
 \=\?utf-8\?Q\?s\?\= message of "Thu, 14 Dec 2017 17:53:37 +0100")
Message-ID: <87a7ykmj7k.fsf_-_@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: 28659
Cc: 28659 <at> debbugs.gnu.org, Jan Nieuwenhuizen <janneke@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 1.0 (+)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

ludo@HIDDEN (Ludovic Court=C3=A8s) skribis:

> So I think we have to communicate more info from the daemon to =E2=80=98g=
uix
> substitute=E2=80=99.

The attached patch addresses that by simply calling out to the daemon to
determine whether we=E2=80=99re dealing with a content-addressed item.

To summarize, the new behavior is that substitutes are always enabled
for fixed-output derivations.  That way, people willing to build
everything from source can still use =E2=80=98--no-substitutes=E2=80=99 and=
 yet be able
to retrieve source code without being penalized compared to someone
enabling substitutes wholesale.

Of course, when substitutes are missing, we fall back to regular
downloads or VCS checkouts.  It is also still possible to choose where
substitutes are downloaded from, using =E2=80=98--substitute-urls=E2=80=99,=
 or even to
pass an empty list of URLs.

Feedback welcome!

Ludo=E2=80=99.


--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment;
 filename=0001-substitute-Always-allow-substitutes-for-fixed-output.patch

From aab42bcb212698bc1f61beb9f321ffbd751f36f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@HIDDEN>
Date: Fri, 15 Dec 2017 09:57:04 +0100
Subject: [PATCH 1/2] substitute: Always allow substitutes for fixed-output
 derivation results.

Fixes <https://bugs.gnu.org/28659>.

* guix/scripts/substitute.scm (content-addressed-item?): New procedure.
(valid-narinfo?): Use it.
* nix/libstore/build.cc (DerivationGoal::haveDerivation): Always make a
substitution goal when 'fixedOutput' is true.
* tests/substitute.scm ("query unsigned narinfo for content-addressed
item"): New test.
---
 guix/scripts/substitute.scm | 31 ++++++++++++++++++++++++++++++-
 nix/libstore/build.cc       |  6 ++++--
 tests/substitute.scm        | 24 +++++++++++++++++++++++-
 3 files changed, 57 insertions(+), 4 deletions(-)

diff --git a/guix/scripts/substitute.scm b/guix/scripts/substitute.scm
index 2fd2bf810..670a9b4dd 100755
--- a/guix/scripts/substitute.scm
+++ b/guix/scripts/substitute.scm
@@ -25,6 +25,9 @@
   #:use-module (guix config)
   #:use-module (guix records)
   #:use-module ((guix serialization) #:select (restore-file))
+  #:use-module ((guix derivations)
+                #:select (read-derivation-from-file
+                          fixed-output-derivation?))
   #:use-module (guix hash)
   #:use-module (guix base32)
   #:use-module (guix base64)
@@ -406,10 +409,36 @@ No authentication and authorization checks are performed here!"
        (let ((above-signature (string-take contents index)))
          (sha256 (string->utf8 above-signature)))))))
 
+(define* (content-addressed-item? item)
+  "Return true if ITEM is content-addressed---i.e., if ITEM is the result of a
+fixed-output derivation."
+  (guard (c ((nix-connection-error? c)
+             ;; We failed to connect, maybe because we have the wrong
+             ;; GUIX_DAEMON_SOCKET?  Let's conservatively assume that
+             ;; nothing's content-addressed.
+             #f))
+    (with-store store
+      (match (valid-derivers store item)
+        (()
+         ;; If there are no valid derivers it's most likely because ITEM is a
+         ;; source (added with 'add-to-store' or similar).  Nevertheless,
+         ;; since we can't be certain, return #f.
+         #f)
+        ((drv . _)
+         (fixed-output-derivation?
+          (read-derivation-from-file drv)))))))
+
 (define* (valid-narinfo? narinfo #:optional (acl (current-acl))
                          #:key verbose?)
-  "Return #t if NARINFO's signature is not valid."
+  "Return #t if NARINFO is \"valid\"---signed by an authorized key, or
+designating a content-addressed item."
   (or %allow-unauthenticated-substitutes?
+
+      ;; If NARINFO designates a content-addressed item, there's no point
+      ;; authenticating it.  Don't explicitly check 'narinfo-hash' for
+      ;; integrity: this will be done by the daemon once we've downloaded it.
+      (content-addressed-item? (narinfo-path narinfo))
+
       (let ((hash      (narinfo-sha256 narinfo))
             (signature (narinfo-signature narinfo))
             (uri       (uri->string (narinfo-uri narinfo))))
diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index d68e8b2bc..03a8f5080 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -1034,8 +1034,10 @@ void DerivationGoal::haveDerivation()
 
     /* We are first going to try to create the invalid output paths
        through substitutes.  If that doesn't work, we'll build
-       them. */
-    if (settings.useSubstitutes && substitutesAllowed(drv))
+       them.  Always enable substitutes for fixed-output derivations to
+       protect against disappearing files and in-place modifications on
+       upstream sites.  */
+    if ((fixedOutput || settings.useSubstitutes) && substitutesAllowed(drv))
         foreach (PathSet::iterator, i, invalidOutputs)
             addWaitee(worker.makeSubstitutionGoal(*i, buildMode == bmRepair));
 
diff --git a/tests/substitute.scm b/tests/substitute.scm
index 0ad624795..03579b9f1 100644
--- a/tests/substitute.scm
+++ b/tests/substitute.scm
@@ -21,15 +21,17 @@
   #:use-module (guix scripts substitute)
   #:use-module (guix base64)
   #:use-module (guix hash)
+  #:use-module (guix derivations)
   #:use-module (guix serialization)
   #:use-module (guix pk-crypto)
   #:use-module (guix pki)
   #:use-module (guix config)
   #:use-module (guix base32)
-  #:use-module ((guix store) #:select (%store-prefix))
+  #:use-module ((guix store) #:select (%store-prefix with-store))
   #:use-module ((guix ui) #:select (guix-warning-port))
   #:use-module ((guix build utils)
                 #:select (mkdir-p delete-file-recursively))
+  #:use-module (guix tests)
   #:use-module (guix tests http)
   #:use-module (rnrs bytevectors)
   #:use-module (rnrs io ports)
@@ -241,6 +243,26 @@ a file for NARINFO."
            (lambda ()
              (guix-substitute "--query"))))))))
 
+(test-assert "query unsigned narinfo for content-addressed item"
+  (with-store store
+    (let* ((hash (sha256 (random-bytevector 128)))
+           (drv  (derivation store "content-addressed"
+                             "builtin:download" '()
+                             #:hash-algo 'sha256 #:hash hash)))
+      (define output
+        (with-output-to-string
+          (lambda ()
+            (with-derivation-narinfo drv (sha256 => hash)
+              (with-input-from-string (string-append "have "
+                                                     (derivation->output-path drv))
+                (lambda ()
+                  (set! (@@ (guix scripts substitute)
+                            %allow-unauthenticated-substitutes?)
+                    #f)
+                  (guix-substitute "--query")))))))
+
+      (string=? (string-trim-both output) (derivation->output-path drv)))))
+
 (test-quit "substitute, no signature"
     "no valid substitute"
   (with-narinfo %narinfo
-- 
2.15.1


--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: attachment;
 filename=0002-Revert-download-Download-a-nar-when-a-VCS-checkout-f.patch
Content-Transfer-Encoding: quoted-printable

From 9bcf90b99a79f9f3e126cde5fe1cf51b0dfa58aa Mon Sep 17 00:00:00 2001
From: =3D?UTF-8?q?Ludovic=3D20Court=3DC3=3DA8s?=3D <ludo@HIDDEN>
Date: Fri, 15 Dec 2017 10:03:39 +0100
Subject: [PATCH 2/2] Revert "download: Download a nar when a VCS checkout
 fails."

This reverts commit 37ce440dcffa9ff4f5401bacbc9619bd8ea561c1, which is
useless now that substitutes are always enabled for content-addressed
items.
---
 Makefile.am                 |   1 -
 guix/build/download-nar.scm | 125 ----------------------------------------=
----
 guix/cvs-download.scm       |  38 ++++----------
 guix/git-download.scm       |  37 +++----------
 guix/hg-download.scm        |  36 ++++---------
 5 files changed, 26 insertions(+), 211 deletions(-)
 delete mode 100644 guix/build/download-nar.scm

diff --git a/Makefile.am b/Makefile.am
index 85b9ab36d..d2660b0a7 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -110,7 +110,6 @@ MODULES =3D					\
   guix/ui.scm					\
   guix/build/ant-build-system.scm		\
   guix/build/download.scm			\
-  guix/build/download-nar.scm			\
   guix/build/cargo-build-system.scm		\
   guix/build/cmake-build-system.scm		\
   guix/build/dub-build-system.scm		\
diff --git a/guix/build/download-nar.scm b/guix/build/download-nar.scm
deleted file mode 100644
index 13f01fb1e..000000000
--- a/guix/build/download-nar.scm
+++ /dev/null
@@ -1,125 +0,0 @@
-;;; GNU Guix --- Functional package management for GNU
-;;; Copyright =C2=A9 2017 Ludovic Court=C3=A8s <ludo@HIDDEN>
-;;;
-;;; This file is part of GNU Guix.
-;;;
-;;; GNU Guix is free software; you can redistribute it and/or modify it
-;;; under the terms of the GNU General Public License as published by
-;;; the Free Software Foundation; either version 3 of the License, or (at
-;;; your option) any later version.
-;;;
-;;; GNU Guix is distributed in the hope that it will be useful, but
-;;; WITHOUT ANY WARRANTY; without even the implied warranty of
-;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-;;; GNU General Public License for more details.
-;;;
-;;; You should have received a copy of the GNU General Public License
-;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
-
-(define-module (guix build download-nar)
-  #:use-module (guix build download)
-  #:use-module (guix build utils)
-  #:use-module (guix serialization)
-  #:use-module (guix zlib)
-  #:use-module (guix progress)
-  #:use-module (web uri)
-  #:use-module (srfi srfi-11)
-  #:use-module (srfi srfi-26)
-  #:use-module (ice-9 format)
-  #:use-module (ice-9 match)
-  #:export (download-nar))
-
-;;; Commentary:
-;;;
-;;; Download a normalized archive or "nar", similar to what 'guix substitu=
te'
-;;; does.  The intent here is to use substitute servers as content-address=
ed
-;;; mirrors of VCS checkouts.  This is mostly useful for users who have
-;;; disabled substitutes.
-;;;
-;;; Code:
-
-(define (urls-for-item item)
-  "Return the fallback nar URL for ITEM--e.g.,
-\"/gnu/store/cabbag3=E2=80=A6-foo-1.2-checkout\"."
-  ;; Here we hard-code nar URLs without checking narinfos.  That's probabl=
y OK
-  ;; though.
-  ;; TODO: Use HTTPS?  The downside is the extra dependency.
-  (let ((bases '("http://mirror.hydra.gnu.org/guix"
-                 "http://berlin.guixsd.org"))
-        (item  (basename item)))
-    (append (map (cut string-append <> "/nar/gzip/" item) bases)
-            (map (cut string-append <> "/nar/" item) bases))))
-
-(define (restore-gzipped-nar port item size)
-  "Restore the gzipped nar read from PORT, of SIZE bytes (compressed), to
-ITEM."
-  ;; Since PORT is typically a non-file port (for instance because 'http-g=
et'
-  ;; returns a delimited port), create a child process so we're back to a =
file
-  ;; port that can be passed to 'call-with-gzip-input-port'.
-  (match (pipe)
-    ((input . output)
-     (match (primitive-fork)
-       (0
-        (dynamic-wind
-          (const #t)
-          (lambda ()
-            (close-port output)
-            (close-port port)
-            (catch #t
-              (lambda ()
-                (call-with-gzip-input-port input
-                  (cut restore-file <> item)))
-              (lambda (key . args)
-                (print-exception (current-error-port)
-                                 (stack-ref (make-stack #t) 1)
-                                 key args)
-                (primitive-exit 1))))
-          (lambda ()
-            (primitive-exit 0))))
-       (child
-        (close-port input)
-        (dump-port* port output
-                    #:reporter (progress-reporter/file item size
-                                                       #:abbreviation
-                                                       store-path-abbrevia=
tion))
-        (close-port output)
-        (newline)
-        (match (waitpid child)
-          ((_ . status)
-           (unless (zero? status)
-             (error "nar decompression failed" status)))))))))
-
-(define (download-nar item)
-  "Download and extract the normalized archive for ITEM.  Return #t on
-success, #f otherwise."
-  ;; Let progress reports go through.
-  (setvbuf (current-error-port) _IONBF)
-  (setvbuf (current-output-port) _IONBF)
-
-  (let loop ((urls (urls-for-item item)))
-    (match urls
-      ((url rest ...)
-       (format #t "Trying content-addressed mirror at ~a...~%"
-               (uri-host (string->uri url)))
-       (let-values (((port size)
-                     (catch #t
-                       (lambda ()
-                         (http-fetch (string->uri url)))
-                       (lambda args
-                         (values #f #f)))))
-         (if (not port)
-             (loop rest)
-             (begin
-               (if size
-                   (format #t "Downloading from ~a (~,2h MiB)...~%" url
-                           (/ size (expt 2 20.)))
-                   (format #t "Downloading from ~a...~%" url))
-               (if (string-contains url "/gzip")
-                   (restore-gzipped-nar port item size)
-                   (begin
-                     ;; FIXME: Add progress report.
-                     (restore-file port item)
-                     (close-port port)))
-               #t))))
-      (()
-       #f))))
diff --git a/guix/cvs-download.scm b/guix/cvs-download.scm
index 8b46f8ef8..85744c5b5 100644
--- a/guix/cvs-download.scm
+++ b/guix/cvs-download.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright =C2=A9 2014, 2015, 2016, 2017 Ludovic Court=C3=A8s <ludo@gnu=
.org>
+;;; Copyright =C2=A9 2014, 2015, 2016 Ludovic Court=C3=A8s <ludo@HIDDEN>
 ;;; Copyright =C2=A9 2014 Sree Harsha Totakura <sreeharsha@HIDDEN>
 ;;; Copyright =C2=A9 2015 Mark H Weaver <mhw@HIDDEN>
 ;;;
@@ -23,7 +23,6 @@
   #:use-module (guix gexp)
   #:use-module (guix store)
   #:use-module (guix monads)
-  #:use-module (guix modules)
   #:use-module (guix packages)
   #:use-module (ice-9 match)
   #:export (cvs-reference
@@ -60,35 +59,16 @@
   "Return a fixed-output derivation that fetches REF, a <cvs-reference>
 object.  The output is expected to have recursive hash HASH of type
 HASH-ALGO (a symbol).  Use NAME as the file name, or a generic name if #f."
-  (define zlib
-    (module-ref (resolve-interface '(gnu packages compression)) 'zlib))
-
-  (define config.scm
-    (scheme-file "config.scm"
-                 #~(begin
-                     (define-module (guix config)
-                       #:export (%libz))
-
-                     (define %libz
-                       #+(file-append zlib "/lib/libz")))))
-
-  (define modules
-    (cons `((guix config) =3D> ,config.scm)
-          (delete '(guix config)
-                  (source-module-closure '((guix build cvs)
-                                           (guix build download-nar))))))
   (define build
-    (with-imported-modules modules
+    (with-imported-modules '((guix build cvs)
+                             (guix build utils))
       #~(begin
-          (use-modules (guix build cvs)
-                       (guix build download-nar))
-
-          (or (cvs-fetch '#$(cvs-reference-root-directory ref)
-                         '#$(cvs-reference-module ref)
-                         '#$(cvs-reference-revision ref)
-                         #$output
-                         #:cvs-command (string-append #+cvs "/bin/cvs"))
-              (download-nar #$output)))))
+          (use-modules (guix build cvs))
+          (cvs-fetch '#$(cvs-reference-root-directory ref)
+                     '#$(cvs-reference-module ref)
+                     '#$(cvs-reference-revision ref)
+                     #$output
+                     #:cvs-command (string-append #+cvs "/bin/cvs")))))
=20
   (mlet %store-monad ((guile (package->derivation guile system)))
     (gexp->derivation (or name "cvs-checkout") build
diff --git a/guix/git-download.scm b/guix/git-download.scm
index 731e549b3..7397cbe7f 100644
--- a/guix/git-download.scm
+++ b/guix/git-download.scm
@@ -25,7 +25,6 @@
   #:use-module (guix monads)
   #:use-module (guix records)
   #:use-module (guix packages)
-  #:use-module (guix modules)
   #:autoload   (guix build-system gnu) (standard-packages)
   #:use-module (ice-9 match)
   #:use-module (ice-9 popen)
@@ -78,31 +77,12 @@ HASH-ALGO (a symbol).  Use NAME as the file name, or a =
generic name if #f."
         (standard-packages)
         '()))
=20
-  (define zlib
-    (module-ref (resolve-interface '(gnu packages compression)) 'zlib))
-
-  (define config.scm
-    (scheme-file "config.scm"
-                 #~(begin
-                     (define-module (guix config)
-                       #:export (%libz))
-
-                     (define %libz
-                       #+(file-append zlib "/lib/libz")))))
-
-  (define modules
-    (cons `((guix config) =3D> ,config.scm)
-          (delete '(guix config)
-                  (source-module-closure '((guix build git)
-                                           (guix build utils)
-                                           (guix build download-nar))))))
-
   (define build
-    (with-imported-modules modules
+    (with-imported-modules '((guix build git)
+                             (guix build utils))
       #~(begin
           (use-modules (guix build git)
                        (guix build utils)
-                       (guix build download-nar)
                        (ice-9 match))
=20
           ;; The 'git submodule' commands expects Coreutils, sed,
@@ -112,13 +92,12 @@ HASH-ALGO (a symbol).  Use NAME as the file name, or a=
 generic name if #f."
                                            (((names dirs) ...)
                                             dirs)))
=20
-          (or (git-fetch (getenv "git url") (getenv "git commit")
-                         #$output
-                         #:recursive? (call-with-input-string
-                                          (getenv "git recursive?")
-                                        read)
-                         #:git-command (string-append #+git "/bin/git"))
-              (download-nar #$output)))))
+          (git-fetch (getenv "git url") (getenv "git commit")
+                     #$output
+                     #:recursive? (call-with-input-string
+                                      (getenv "git recursive?")
+                                    read)
+                     #:git-command (string-append #+git "/bin/git")))))
=20
   (mlet %store-monad ((guile (package->derivation guile system)))
     (gexp->derivation (or name "git-checkout") build
diff --git a/guix/hg-download.scm b/guix/hg-download.scm
index 6b25b87b6..842098090 100644
--- a/guix/hg-download.scm
+++ b/guix/hg-download.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright =C2=A9 2014, 2015, 2016, 2017 Ludovic Court=C3=A8s <ludo@gnu=
.org>
+;;; Copyright =C2=A9 2014, 2015, 2016 Ludovic Court=C3=A8s <ludo@HIDDEN>
 ;;; Copyright =C2=A9 2016 Ricardo Wurmus <rekado@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -22,7 +22,6 @@
   #:use-module (guix store)
   #:use-module (guix monads)
   #:use-module (guix records)
-  #:use-module (guix modules)
   #:use-module (guix packages)
   #:autoload   (guix build-system gnu) (standard-packages)
   #:use-module (ice-9 match)
@@ -60,35 +59,18 @@
   "Return a fixed-output derivation that fetches REF, a <hg-reference>
 object.  The output is expected to have recursive hash HASH of type
 HASH-ALGO (a symbol).  Use NAME as the file name, or a generic name if #f."
-  (define zlib
-    (module-ref (resolve-interface '(gnu packages compression)) 'zlib))
-
-  (define config.scm
-    (scheme-file "config.scm"
-                 #~(begin
-                     (define-module (guix config)
-                       #:export (%libz))
-
-                     (define %libz
-                       #+(file-append zlib "/lib/libz")))))
-
-  (define modules
-    (cons `((guix config) =3D> ,config.scm)
-          (delete '(guix config)
-                  (source-module-closure '((guix build hg)
-                                           (guix build download-nar))))))
-
   (define build
-    (with-imported-modules modules
+    (with-imported-modules '((guix build hg)
+                             (guix build utils))
       #~(begin
           (use-modules (guix build hg)
-                       (guix build download-nar))
+                       (guix build utils)
+                       (ice-9 match))
=20
-          (or (hg-fetch '#$(hg-reference-url ref)
-                        '#$(hg-reference-changeset ref)
-                        #$output
-                        #:hg-command (string-append #+hg "/bin/hg"))
-              (download-nar #$output)))))
+          (hg-fetch '#$(hg-reference-url ref)
+                    '#$(hg-reference-changeset ref)
+                    #$output
+                    #:hg-command (string-append #+hg "/bin/hg")))))
=20
   (mlet %store-monad ((guile (package->derivation guile system)))
     (gexp->derivation (or name "hg-checkout") build
--=20
2.15.1


--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 14 Dec 2017 16:53:46 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Dec 14 11:53:46 2017
Received: from localhost ([127.0.0.1]:33963 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1ePWlW-0000T5-0b
	for submit <at> debbugs.gnu.org; Thu, 14 Dec 2017 11:53:46 -0500
Received: from hera.aquilenet.fr ([141.255.128.1]:51794)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1ePWlR-0000Ss-3w
 for 28659 <at> debbugs.gnu.org; Thu, 14 Dec 2017 11:53:42 -0500
Received: from localhost (localhost [127.0.0.1])
 by hera.aquilenet.fr (Postfix) with ESMTP id 0F21C102D7;
 Thu, 14 Dec 2017 17:53:43 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
 by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id ytQf5DF19oqk; Thu, 14 Dec 2017 17:53:41 +0100 (CET)
Received: from ribbon (unknown [193.50.110.249])
 by hera.aquilenet.fr (Postfix) with ESMTPSA id 43DE374AF;
 Thu, 14 Dec 2017 17:53:41 +0100 (CET)
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Leo Famulari <leo@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails;
 libgit2-0.26.0 and 0.25.1 content hashes fail
References: <877ewf18d4.fsf@HIDDEN> <87o9ppoabw.fsf@HIDDEN>
 <20171002182208.GB10773@HIDDEN> <878tgt721q.fsf@HIDDEN>
 <20171020211700.GA32355@HIDDEN> <87d1421qek.fsf@HIDDEN>
Date: Thu, 14 Dec 2017 17:53:37 +0100
In-Reply-To: <87d1421qek.fsf@HIDDEN> ("Ludovic
 \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
 \=\?utf-8\?Q\?s\?\= message of "Tue, 28 Nov 2017 14:30:59 +0100")
Message-ID: <874lot9rou.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: 28659
Cc: 28659 <at> debbugs.gnu.org, Jan Nieuwenhuizen <janneke@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 1.0 (+)

ludo@HIDDEN (Ludovic Court=C3=A8s) skribis:

> Thinking more about it, why not simply always enable substitutes for
> fixed-output derivations, like this:
>
> diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
> index d68e8b2bc..03a8f5080 100644
> --- a/nix/libstore/build.cc
> +++ b/nix/libstore/build.cc
> @@ -1034,8 +1034,10 @@ void DerivationGoal::haveDerivation()
>=20=20
>      /* We are first going to try to create the invalid output paths
>         through substitutes.  If that doesn't work, we'll build
> -       them. */
> -    if (settings.useSubstitutes && substitutesAllowed(drv))
> +       them.  Always enable substitutes for fixed-output derivations to
> +       protect against disappearing files and in-place modifications on
> +       upstream sites.  */
> +    if ((fixedOutput || settings.useSubstitutes) && substitutesAllowed(d=
rv))
>          foreach (PathSet::iterator, i, invalidOutputs)
>              addWaitee(worker.makeSubstitutionGoal(*i, buildMode =3D=3D b=
mRepair));

[...]

> The downside is that it still requires one to authorize the server=E2=80=
=99s
> key, although it=E2=80=99s in theory unnecessary since it=E2=80=99s conte=
nt addressed.
> I=E2=80=99m not sure how to solve that because =E2=80=98guix substitute=
=E2=80=99 doesn=E2=80=99t know
> that it=E2=80=99s substituting a fixed-output derivation.  I suppose we=
=E2=80=99d need
> to modify the =E2=80=9Cprotocol=E2=80=9D between guix-daemon and =E2=80=
=98guix substitute=E2=80=99.

I looked at how to address this by having =E2=80=98guix substitute=E2=80=99
automatically determine whether it=E2=80=99s being asked for a content-addr=
essed
item or not.  The guts of it is this procedure:

  (define* (content-addressed-item? item hash
                                    #:key (hash-algo 'sha256))
    "Return true if ITEM, a store file name, is definitely a content-addres=
sed
  item (result of a fixed-output derivation) with the given HASH of type
  HASH-ALGO, false otherwise.

  Note: This procedure is useful when the deriver of ITEM is unknown.  In o=
ther
  cases, the recommended approach is to check 'fixed-output-derivation?' on=
 the
  deriver."
    ;; XXX: This returns #f for "text" items produced by 'add-text-to-store=
'.
    ;; There's not much we can do because the file name for these is a func=
tion
    ;; of their content.
    (let ((name (store-path-package-name item)))
      (or (string=3D? item (fixed-output-path name hash #:recursive? #f
                                            #:hash-algo hash-algo))
          (string=3D? item (fixed-output-path name hash #:recursive? #t
                                            #:hash-algo hash-algo)))))

It works as expected for the result of =E2=80=9Crecursive fixed-output
derivations=E2=80=9D=E2=80=94i.e., fixed-output derivations that produce a =
directory,
such as VCS checkouts.

However it doesn=E2=80=99t work for fixed-output derivations that produce a=
 flat
file, such as origins with the =E2=80=98url-fetch=E2=80=99 method.  The rea=
son is
because in the case of non-recursive derivations, the store file name is
computed as a function of the file hash, not as a function of the nar
hash, whereas narinfos only contains the nar hash (the thing that =E2=80=98=
guix
hash -r=E2=80=99 computes.)

So I think we have to communicate more info from the daemon to =E2=80=98guix
substitute=E2=80=99.

Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 28 Nov 2017 13:31:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 28 08:31:20 2017
Received: from localhost ([127.0.0.1]:33613 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1eJfyk-0004mR-E9
	for submit <at> debbugs.gnu.org; Tue, 28 Nov 2017 08:31:20 -0500
Received: from [141.255.128.1] (port=53718 helo=hera.aquilenet.fr)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1eJfyh-0004mH-H7
 for 28659 <at> debbugs.gnu.org; Tue, 28 Nov 2017 08:31:13 -0500
Received: from localhost (localhost [127.0.0.1])
 by hera.aquilenet.fr (Postfix) with ESMTP id 927FDEF69;
 Tue, 28 Nov 2017 14:31:12 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
 by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id DkvuRG0-0kAZ; Tue, 28 Nov 2017 14:31:08 +0100 (CET)
Received: from ribbon (unknown [193.50.110.215])
 by hera.aquilenet.fr (Postfix) with ESMTPSA id A8BACE9D7;
 Tue, 28 Nov 2017 14:31:02 +0100 (CET)
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Leo Famulari <leo@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails;
 libgit2-0.26.0 and 0.25.1 content hashes fail
References: <877ewf18d4.fsf@HIDDEN> <87o9ppoabw.fsf@HIDDEN>
 <20171002182208.GB10773@HIDDEN> <878tgt721q.fsf@HIDDEN>
 <20171020211700.GA32355@HIDDEN>
Date: Tue, 28 Nov 2017 14:30:59 +0100
In-Reply-To: <20171020211700.GA32355@HIDDEN> (Leo Famulari's message of
 "Fri, 20 Oct 2017 17:17:00 -0400")
Message-ID: <87d1421qek.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: 2.2 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Leo Famulari <leo@HIDDEN> skribis: > On Mon, Oct 02,
    2017 at 10:00:33PM +0200, Ludovic Courtès wrote: >> Right. Jan suggested
    checking the content-addressed mirrors *before* >> the real upstream address.
    That would address the problem of upstream >> sources modified in-place,
   but at the cost of privacy/self-sufficiency >> as you note. (Though it’s
    not really making “privacy” any worse in this >> case: it’s gnu.org
    vs. github.com.) > > Yeah, I don't personally think there is a privacy issue
    with fetching > sources from our mirrors at gnu.org, or other domains we
   control. > >> Perhaps we should make content-addressed mirrors configurable
    in a way >> that’s orthogonal to derivations, something similar in spirit
    to >> --substitute-urls? The difficulty is that content-addressed mirrors
    are >> not just URLs; see (guix download). >> >> Thoughts? > > I do think
    we should make it so that users don't suffer from unreliable > upstream sources
    when we know the sources are available on our servers > (or the Nix mirror),
    even with --no-substitutes. [...] 
 
 Content analysis details:   (2.2 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
  0.0 SPF_HELO_FAIL          SPF: HELO does not match SPF record (fail)
 [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=hera.aquilenet.fr;ip=141.255.128.1;r=debbugs.gnu.org]
  1.3 RDNS_NONE              Delivered to internal network by a host with no rDNS
X-Debbugs-Envelope-To: 28659
Cc: 28659 <at> debbugs.gnu.org, Jan Nieuwenhuizen <janneke@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 2.2 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Leo Famulari <leo@HIDDEN> skribis: > On Mon, Oct 02,
    2017 at 10:00:33PM +0200, Ludovic Courtès wrote: >> Right. Jan suggested
    checking the content-addressed mirrors *before* >> the real upstream address.
    That would address the problem of upstream >> sources modified in-place,
   but at the cost of privacy/self-sufficiency >> as you note. (Though it’s
    not really making “privacy” any worse in this >> case: it’s gnu.org
    vs. github.com.) > > Yeah, I don't personally think there is a privacy issue
    with fetching > sources from our mirrors at gnu.org, or other domains we
   control. > >> Perhaps we should make content-addressed mirrors configurable
    in a way >> that’s orthogonal to derivations, something similar in spirit
    to >> --substitute-urls? The difficulty is that content-addressed mirrors
    are >> not just URLs; see (guix download). >> >> Thoughts? > > I do think
    we should make it so that users don't suffer from unreliable > upstream sources
    when we know the sources are available on our servers > (or the Nix mirror),
    even with --no-substitutes. [...] 
 
 Content analysis details:   (2.2 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
  0.0 SPF_HELO_FAIL          SPF: HELO does not match SPF record (fail)
 [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=hera.aquilenet.fr;ip=141.255.128.1;r=debbugs.gnu.org]
  1.3 RDNS_NONE              Delivered to internal network by a host with no rDNS

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Leo Famulari <leo@HIDDEN> skribis:

> On Mon, Oct 02, 2017 at 10:00:33PM +0200, Ludovic Court=C3=A8s wrote:
>> Right.  Jan suggested checking the content-addressed mirrors *before*
>> the real upstream address.  That would address the problem of upstream
>> sources modified in-place, but at the cost of privacy/self-sufficiency
>> as you note.  (Though it=E2=80=99s not really making =E2=80=9Cprivacy=E2=
=80=9D any worse in this
>> case: it=E2=80=99s gnu.org vs. github.com.)
>
> Yeah, I don't personally think there is a privacy issue with fetching
> sources from our mirrors at gnu.org, or other domains we control.
>
>> Perhaps we should make content-addressed mirrors configurable in a way
>> that=E2=80=99s orthogonal to derivations, something similar in spirit to
>> --substitute-urls?  The difficulty is that content-addressed mirrors are
>> not just URLs; see (guix download).
>>
>> Thoughts?
>
> I do think we should make it so that users don't suffer from unreliable
> upstream sources when we know the sources are available on our servers
> (or the Nix mirror), even with --no-substitutes.

The more I think about it, the more I=E2=80=99m inclined to simply move
content-addressed mirrors to the front of the list.  This means that
users, in practice, would be fetching all the source from
mirror.hydra.gnu.org.

The main issue is making it configurable.  Currently the
content-addressed mirror configuration for regular files in (guix
download) looks like this:

--8<---------------cut here---------------start------------->8---
(define %content-addressed-mirrors
  ;; List of content-addressed mirrors.  Each mirror is represented as a
  ;; procedure that takes a file name, an algorithm (symbol) and a hash
  ;; (bytevector), and returns a URL or #f.
  ;; Note: Avoid 'https' to mitigate <http://bugs.gnu.org/22774>.
  ;; TODO: Add more.
  '(list (lambda (file algo hash)
           ;; Files served by 'guix publish' are accessible under a single
           ;; hash algorithm.
           (string-append "http://mirror.hydra.gnu.org/file/"
                          file "/" (symbol->string algo) "/"
                          (bytevector->nix-base32-string hash)))
         (lambda (file algo hash)
           ;; 'tarballs.nixos.org' supports several algorithms.
           (string-append "http://tarballs.nixos.org/"
                          (symbol->string algo) "/"
                          (bytevector->nix-base32-string hash)))))
--8<---------------cut here---------------end--------------->8---

That for VCS checkouts in (guix build download-nar) looks like this:

--8<---------------cut here---------------start------------->8---
(define (urls-for-item item)
  "Return the fallback nar URL for ITEM--e.g.,
\"/gnu/store/cabbag3=E2=80=A6-foo-1.2-checkout\"."
  ;; Here we hard-code nar URLs without checking narinfos.  That's probably=
 OK
  ;; though.
  ;; TODO: Use HTTPS?  The downside is the extra dependency.
  (let ((bases '("http://mirror.hydra.gnu.org/guix"
                 "http://berlin.guixsd.org"))
        (item  (basename item)))
    (append (map (cut string-append <> "/nar/gzip/" item) bases)
            (map (cut string-append <> "/nar/" item) bases))))
--8<---------------cut here---------------end--------------->8---

The latter could be expressed by a command-line flag.  In fact it=E2=80=99s=
 the
same as --substitute-urls.

(Time passes=E2=80=A6)

Thinking more about it, why not simply always enable substitutes for
fixed-output derivations, like this:


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline

diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index d68e8b2bc..03a8f5080 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -1034,8 +1034,10 @@ void DerivationGoal::haveDerivation()
 
     /* We are first going to try to create the invalid output paths
        through substitutes.  If that doesn't work, we'll build
-       them. */
-    if (settings.useSubstitutes && substitutesAllowed(drv))
+       them.  Always enable substitutes for fixed-output derivations to
+       protect against disappearing files and in-place modifications on
+       upstream sites.  */
+    if ((fixedOutput || settings.useSubstitutes) && substitutesAllowed(drv))
         foreach (PathSet::iterator, i, invalidOutputs)
             addWaitee(worker.makeSubstitutionGoal(*i, buildMode == bmRepair));
 

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


This solves all our problems and makes download-nar.scm useless.

As an added bonus, it provides a improves the UI since we now always
see:

--8<---------------cut here---------------start------------->8---
0.1 MB will be downloaded:
   /gnu/store/plx9848n6waj6zghn3d54ybx8ihcn23k-guile-git-0.0-4.951a32c-chec=
kout
--8<---------------cut here---------------end--------------->8---

=E2=80=A6 instead of:

--8<---------------cut here---------------start------------->8---
The following derivation will be built:
   /gnu/store/y86rlb6pdm35im7q02y6479ca84zwylz-guile-git-000.0-4.951a32c-ch=
eckout.drv
--8<---------------cut here---------------end--------------->8---

The downside is that it still requires one to authorize the server=E2=80=99s
key, although it=E2=80=99s in theory unnecessary since it=E2=80=99s content=
 addressed.
I=E2=80=99m not sure how to solve that because =E2=80=98guix substitute=E2=
=80=99 doesn=E2=80=99t know
that it=E2=80=99s substituting a fixed-output derivation.  I suppose we=E2=
=80=99d need
to modify the =E2=80=9Cprotocol=E2=80=9D between guix-daemon and =E2=80=98g=
uix substitute=E2=80=99.

Thoughts?

Ludo=E2=80=99.

--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 20 Oct 2017 21:17:08 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Oct 20 17:17:08 2017
Received: from localhost ([127.0.0.1]:52855 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1e5efE-0000Fk-7I
	for submit <at> debbugs.gnu.org; Fri, 20 Oct 2017 17:17:08 -0400
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:34679)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1e5efC-0000Fd-I4
 for 28659 <at> debbugs.gnu.org; Fri, 20 Oct 2017 17:17:07 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 0912420C4F;
 Fri, 20 Oct 2017 17:17:06 -0400 (EDT)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Fri, 20 Oct 2017 17:17:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 mesmtp; bh=H+edYyOKPo0WMKxnBoSbe1dwsaN7Y/26R63RFQWbKXY=; b=HPxIZ
 FgP1NENGv8itWV0wnPuXYisy5aVhmMmxuM/cG8dhLXhoNS72izq84eKx+cek467F
 63H6FuxDH9cUMMFZcUe9eKsSGBgHw8ShVUco2WjC+lczDCJwzcHSRGuDGTz4vnQB
 n72vs4FZdQAlHeBBNF1OPx+qtBYiqrLFdHN4Sg=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm1; bh=H+edYyOKPo0WMKxnBoSbe1dwsaN7Y
 /26R63RFQWbKXY=; b=GDqzyUioFAr8qIMXvXXhOlEXU+JqQnZExZtlpV4LY4wyO
 QE9Hz/pR6BPBeMnd1PM8CRtlAHnlB+832oDCSC+yrcvC6p78nfA+l4YW7ibkAeZg
 ZDwdggrSc9N/pxajdJ+i4HPXacE0rSmWMDvERh15blS/rBQTtgEndlqvcCAH3RPh
 YfpufbR7arOSaKUQRSpr4t1TOV7KpRlnA9Po48bU//ItLmc4M3YLz7kLuOf44vXy
 UK/I9VJpQDySY0Zj72G8cU7Gwp3gaQgNvKXrHYp/LEuNSD4Hcfj5XwwQ/xKS9ONV
 PZlv7IHk0CyKgniOhhFgglcMSt6viSe6bwoxgakjQ==
X-ME-Sender: <xms:0WfqWZJOQ072OvpDreKND3vgd5D64FQxUmajDbpgxEI7JROAcGZdMQ>
Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70])
 by mail.messagingengine.com (Postfix) with ESMTPA id BDB507FA7E;
 Fri, 20 Oct 2017 17:17:05 -0400 (EDT)
Date: Fri, 20 Oct 2017 17:17:00 -0400
From: Leo Famulari <leo@HIDDEN>
To: Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails; libgit2-0.26.0 and 0.25.1
 content hashes fail
Message-ID: <20171020211700.GA32355@HIDDEN>
References: <877ewf18d4.fsf@HIDDEN> <87o9ppoabw.fsf@HIDDEN>
 <20171002182208.GB10773@HIDDEN> <878tgt721q.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="AqsLC8rIMeq19msA"
Content-Disposition: inline
In-Reply-To: <878tgt721q.fsf@HIDDEN>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 28659
Cc: 28659 <at> debbugs.gnu.org, Jan Nieuwenhuizen <janneke@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--AqsLC8rIMeq19msA
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Oct 02, 2017 at 10:00:33PM +0200, Ludovic Court=C3=A8s wrote:
> Right.  Jan suggested checking the content-addressed mirrors *before*
> the real upstream address.  That would address the problem of upstream
> sources modified in-place, but at the cost of privacy/self-sufficiency
> as you note.  (Though it=E2=80=99s not really making =E2=80=9Cprivacy=E2=
=80=9D any worse in this
> case: it=E2=80=99s gnu.org vs. github.com.)

Yeah, I don't personally think there is a privacy issue with fetching
sources from our mirrors at gnu.org, or other domains we control.

> Perhaps we should make content-addressed mirrors configurable in a way
> that=E2=80=99s orthogonal to derivations, something similar in spirit to
> --substitute-urls?  The difficulty is that content-addressed mirrors are
> not just URLs; see (guix download).
>
> Thoughts?

I do think we should make it so that users don't suffer from unreliable
upstream sources when we know the sources are available on our servers
(or the Nix mirror), even with --no-substitutes.

--AqsLC8rIMeq19msA
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlnqZ8kACgkQJkb6MLrK
fwg5TQ/8CX5M/DfOOi27pQHOXUE91v7o87jnOSazE2Xqzq+q8N7iBZsY+DxQR676
5KmOw/MREsqP1rWBy4eR5nDRuhQv/hgOSpxh1Kyluk5KkqGezhyCmgmRBqVJnoF6
uZw9VD0UBxcYoZScvemtJjBRFCwjFjpUINW1XE5sUXV7CCqI007kvKB+2Q6iyxBz
R1pK5cMhWFj7GsOoXtYCUIlxER8tK/lE6Tx0OP264TidenTDfH7dy7udmFbNTRYz
72LKl1xno7rIvgRSHA8mxRlAcLXFCXqlbad7QFHEnEQdLmeoLyF565bE/VsH1CdQ
jHW7BJM9svBLmXwfxMOT3YLXGGPgGFI5Kou/uatWmh3PFRvRffe/m97SsA2BYDyh
C08pY8DC+HSoTeF/GZO08Jfg3gT3o9pp+IJRt/AE7qhYqLOkX/zQ6guLm6H1jJIJ
y4dgoy+Mlu8mwVOhsEvnjVLfk7Ho3QvHLcwzKzDrW001Od6bve7CuLW9pHkbOwqm
m7QopDt0XLnL+MTG3o2Lvxbhb5u4rCKfu7Bjb1U01hXlgJWVlULzv4/7voRe1Y1Y
cEax9IBjCnRa2ANa+IX6z/trQr9J/gSMjjtS/Uim15728PY19Mm27ZyleJX8lzbG
SIf+0jpzWLMFSKZ8hr04XNYrdZjANRruWQa9Pt7p6QdlIiX4lqc=
=jxqv
-----END PGP SIGNATURE-----

--AqsLC8rIMeq19msA--




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 5 Oct 2017 06:08:34 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Oct 05 02:08:34 2017
Received: from localhost ([127.0.0.1]:49605 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dzzKk-0003Qk-0K
	for submit <at> debbugs.gnu.org; Thu, 05 Oct 2017 02:08:34 -0400
Received: from eggs.gnu.org ([208.118.235.92]:48533)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <janneke@HIDDEN>) id 1dzzKh-0003QU-Py
 for 28659 <at> debbugs.gnu.org; Thu, 05 Oct 2017 02:08:32 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <janneke@HIDDEN>) id 1dzzKZ-0003gC-D4
 for 28659 <at> debbugs.gnu.org; Thu, 05 Oct 2017 02:08:26 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:43303)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <janneke@HIDDEN>)
 id 1dzzKL-0003Pe-Jo; Thu, 05 Oct 2017 02:08:09 -0400
Received: from peder.onsbrabantnet.nl ([88.159.206.46]:55150
 helo=dundal.peder.onsbrabantnet.nl)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <janneke@HIDDEN>)
 id 1dzzKL-0002U0-4E; Thu, 05 Oct 2017 02:08:09 -0400
From: Jan Nieuwenhuizen <janneke@HIDDEN>
To: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails;
 libgit2-0.26.0 and 0.25.1 content hashes fail
References: <877ewf18d4.fsf@HIDDEN> <87wp4e8yk5.fsf@HIDDEN>
 <20171001204237.GA11804@HIDDEN> <87vajxoavx.fsf@HIDDEN>
 <20171002181929.GA10773@HIDDEN> <87infx2mmt.fsf@HIDDEN>
 <20171003142449.GB23431@HIDDEN> <874lrfee45.fsf@HIDDEN>
 <20171004165413.GA4596@HIDDEN> <87r2uih3lx.fsf@HIDDEN>
 <87h8vegpqu.fsf@HIDDEN>
Date: Thu, 05 Oct 2017 08:08:06 +0200
In-Reply-To: <87h8vegpqu.fsf@HIDDEN> (Maxim Cournoyer's message of "Thu, 05
 Oct 2017 00:52:57 -0400")
Message-ID: <87infu6sah.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 28659
Cc: 28659 <at> debbugs.gnu.org, Leo Famulari <leo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

Maxim Cournoyer writes:

> If we can trust the Homebrew list to be extensive, it seems we got
> lucky; there's only one affected package that we share which is
> yaml-cpp. Here's how it fails on our side:

I needed to also use (ice-9 regex) and then I found these to fail

    antlr3
    csound
    erlang
    font-google-material-design-icons
    fritzing
    libgit2
    lxqt-common
    ogre
    plexus-interpolation
    red-eclipse
    yaml-cpp

out of 646 packages it's not many but it includes our core dependency
libgit2 which breaks guix pull --no-substitutes; that's hardly being
lucky?

janneke

--=20
Jan Nieuwenhuizen <janneke@HIDDEN> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar=C2=AE http://AvatarAcademy.com




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 5 Oct 2017 04:53:06 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Oct 05 00:53:06 2017
Received: from localhost ([127.0.0.1]:49571 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dzy9i-0001QR-I1
	for submit <at> debbugs.gnu.org; Thu, 05 Oct 2017 00:53:06 -0400
Received: from mail-it0-f50.google.com ([209.85.214.50]:52385)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1dzy9h-0001Pw-87
 for 28659 <at> debbugs.gnu.org; Thu, 05 Oct 2017 00:53:05 -0400
Received: by mail-it0-f50.google.com with SMTP id c195so18389020itb.1
 for <28659 <at> debbugs.gnu.org>; Wed, 04 Oct 2017 21:53:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :user-agent:mime-version;
 bh=hvUFkCjLbnLe93mYKR/ztF4cQ2wG8nzW4x7GPafWPWk=;
 b=WowSqE7JT4m7w0z+EuBMkP9M0BfQAdvc50InFMrTy40H7dljf+1zzicTLgAdribSLB
 AvZGBe4EYxZlbexa5L2WpC3Dt75qUieHS/NZkyGC7crtlRUV9wPy+mBju71ptw0batJt
 RRCT6FRgJbEzH44lfNX1B0Cb9K2pAkY4xBKiAoVN/rsuaP81zpxp46PzEUaCHps5tbLX
 Usih5EexOvRxSSpzCat8i0T0d5LnLgoi3vKhQK3J+dKIJXxJafYL8Z+wUch8si2K2zXP
 bnxBZiHXF/7OGbg0fdVu+uJ/7lwyixRD6nbI0c54wRGbsbQMgxVqC0m9gMDZ18agu6g4
 eQXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:user-agent:mime-version;
 bh=hvUFkCjLbnLe93mYKR/ztF4cQ2wG8nzW4x7GPafWPWk=;
 b=cWeHcYeTC638hNfSYliCylYZjxWJEDytbBQnYjvT0xB6ReEeu05Mf8JHV0aO7ApPXe
 uzmUMf1omPZeQPco1ztET14twPQ/dILZpjC+7ume6Bs9R/Kw8rt/+YuxZvNL6XEn7rkW
 4/LPxGnm0tf3DCVFYpzsMQ2MYojIUAi26iWT2aONsx1RjU6ZieXgkp+Gg+XgRNIIsyvs
 vBDwW2D/uZUjc70csAjyb9QiKMT+Ws4EX/zTMzZuVudFLXNHgEsN1RQNUIViOpEawBBf
 hxxDJ0vC3xdMXO34PkexQU1z9z3s380a2gMw7rcnVLUP3814lPMmocYxnpdlqf3IXgT9
 vQpw==
X-Gm-Message-State: AMCzsaU+rNw3P6EQZFFqfWgKQyx9AZhq1VFvHY0xYjvCGmZ7+gmih2AV
 i9O5/TpurCZu75QSg8ZHGpOlsTZ9
X-Google-Smtp-Source: AOwi7QDwYNdKULZq2WK3osVqDWs3Hwc4A7/PE6CejmVixOxbSJRgtv/BRzb8rZFpnxVPZByTwDIbFw==
X-Received: by 10.36.205.194 with SMTP id l185mr10550587itg.24.1507179179278; 
 Wed, 04 Oct 2017 21:52:59 -0700 (PDT)
Received: from apteryx (104-222-112-128.cpe.teksavvy.com. [104.222.112.128])
 by smtp.gmail.com with ESMTPSA id o80sm7987910ioi.73.2017.10.04.21.52.58
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Wed, 04 Oct 2017 21:52:58 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: Leo Famulari <leo@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails;
 libgit2-0.26.0 and 0.25.1 content hashes fail
References: <877ewf18d4.fsf@HIDDEN> <87wp4e8yk5.fsf@HIDDEN>
 <20171001204237.GA11804@HIDDEN> <87vajxoavx.fsf@HIDDEN>
 <20171002181929.GA10773@HIDDEN> <87infx2mmt.fsf@HIDDEN>
 <20171003142449.GB23431@HIDDEN> <874lrfee45.fsf@HIDDEN>
 <20171004165413.GA4596@HIDDEN> <87r2uih3lx.fsf@HIDDEN>
Date: Thu, 05 Oct 2017 00:52:57 -0400
In-Reply-To: <87r2uih3lx.fsf@HIDDEN> (Maxim Cournoyer's message of "Wed, 04
 Oct 2017 19:53:30 -0400")
Message-ID: <87h8vegpqu.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.2 (/)
X-Debbugs-Envelope-To: 28659
Cc: 28659 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.2 (/)

I've modified the script to sort the packages it prints:
--8<---------------cut here---------------start------------->8---
-    (for-each (lambda (p)
-		(format #t "~a~%" (package-name p)))
-	      packages)))
+    (for-each (lambda (name)
+		(format #t "~a~%" name))
+	      (sort (map package-name packages) string<?))))
--8<---------------cut here---------------end--------------->8---

and compared it to the list here: https://github.com/Homebrew/homebrew-core/issues/18044

If we can trust the Homebrew list to be extensive, it seems we got
lucky; there's only one affected package that we share which is
yaml-cpp. Here's how it fails on our side:

--8<---------------cut here---------------start------------->8---
guix build -S --no-substitutes yaml-cpp
The following derivation will be built:
   /gnu/store/mlap8jmadirnbii6sppb6vj9x56s8azw-yaml-cpp-0.5.3.tar.gz.drv
@ build-started /gnu/store/mlap8jmadirnbii6sppb6vj9x56s8azw-yaml-cpp-0.5.3.tar.gz.drv - x86_64-linux /var/log/guix/drvs/ml//ap8jmadirnbii6sppb6vj9x56s8azw-yaml-cpp-0.5.3.tar.gz.drv.bz2

Starting download of /gnu/store/qwflwafrzjbr2b7dy4nv18nxykghhmnk-yaml-cpp-0.5.3.tar.gz
From https://github.com/jbeder/yaml-cpp/archive/yaml-cpp-0.5.3.tar.gz...
following redirection to `https://codeload.github.com/jbeder/yaml-cpp/tar.gz/yaml-cpp-0.5.3'...
 ...p-0.5.3                                  1.7MiB/s 00:01 | 1.9MiB transferred
sha256 hash mismatch for output path `/gnu/store/qwflwafrzjbr2b7dy4nv18nxykghhmnk-yaml-cpp-0.5.3.tar.gz'
  expected: 1vk6pjh0f5k6jwk2sszb9z5169whmiha9ainbdpa1arxlkq7v3b6
  actual:   1ck7jk0wjfigrf4cgcjqsir4yp1s6vamhhxhpsgfvs46pgm5pk6y
@ build-failed /gnu/store/mlap8jmadirnbii6sppb6vj9x56s8azw-yaml-cpp-0.5.3.tar.gz.drv - 1 sha256 hash mismatch for output path `/gnu/store/qwflwafrzjbr2b7dy4nv18nxykghhmnk-yaml-cpp-0.5.3.tar.gz'
  expected: 1vk6pjh0f5k6jwk2sszb9z5169whmiha9ainbdpa1arxlkq7v3b6
  actual:   1ck7jk0wjfigrf4cgcjqsir4yp1s6vamhhxhpsgfvs46pgm5pk6y
guix build: error: build failed: build of
`/gnu/store/mlap8jmadirnbii6sppb6vj9x56s8azw-yaml-cpp-0.5.3.tar.gz.drv'
failed
--8<---------------cut here---------------end--------------->8---

Maxim




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 4 Oct 2017 23:53:39 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Oct 04 19:53:39 2017
Received: from localhost ([127.0.0.1]:49486 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dztTv-0002UC-Hy
	for submit <at> debbugs.gnu.org; Wed, 04 Oct 2017 19:53:39 -0400
Received: from mail-it0-f50.google.com ([209.85.214.50]:46970)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1dztTu-0002Ty-8L
 for 28659 <at> debbugs.gnu.org; Wed, 04 Oct 2017 19:53:38 -0400
Received: by mail-it0-f50.google.com with SMTP id v62so7662164itd.1
 for <28659 <at> debbugs.gnu.org>; Wed, 04 Oct 2017 16:53:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :user-agent:mime-version;
 bh=crXxBTpW8ZuD9HIpVOv6QQsj3iZobbV/Jeff/QUX+Hs=;
 b=Xnc3EmzMjxRnZJOJtiTGgy3qw5Vkt7PiEVirIVQ0qCoZTMPivVWQupQTODTfX1MvjI
 zZY/agF+L/9bS3prEmTaWAV3ief5NZBcmk9yDKlKTk4QsoSBJNCZmOCf3TCDvRYdUAX9
 lnp4ZHLw3vqLOh6DrVyZTe2T15AtqrH0CmM3JEL2Hzf4NUlhgBBbWQ8rOmF8STAj7HIm
 atbHIf5f0CvybT2jRuAXOGO/l/hRzD2DqMs9oMc1lONsdI1ciJLoCo7kOoOXQm+g7OEY
 n1PtuXEAYT/ptcEx7F3h1ePOsvdt6I6VGK6Xza52Pm0pgpC0YZK2aLSOJwc8ANU+VVRN
 2dGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:user-agent:mime-version;
 bh=crXxBTpW8ZuD9HIpVOv6QQsj3iZobbV/Jeff/QUX+Hs=;
 b=GwRlITVJmocrbjwhnliUEM4qH2JQayDLWusNVCHMm6E/aoGqBJzaEMxU277s0/fyKS
 eNf29Mrt7MG9hFbfQWcreV1KXnahAvbAFydhWKesLSzmz9uA6gHKsi7M06/HWpzwUsZ/
 pr+eLO7vA46otDGWeBl2fL20cKqcUAh1dtn3EGIRrwBODFwN1I4pk9XU8iaeLgFmz9HM
 2ATnzUV53Ru98XqyOa1u4WCb5WL6j3AFJbPonstL6jKFl0ojj1LpxYBnaftyyNY1anjw
 8LafnWbEyDP0yF5eX76UO9ExV+knvkNzy19blkSZ6Mk3yqaSfuu6btvB/nCgiQr0KaFp
 NoIg==
X-Gm-Message-State: AMCzsaX3qK96Qqv8euy1a7QbO2QSagQAwOjxIveHH7IyD4lSBdPiy2ll
 qjSmY5/HxuKsE+zBVwGO7/DdY8mM
X-Google-Smtp-Source: AOwi7QC0EUX6WryHWf+6OIV5AfHQ4WLpj66GbtJXIYZH4pFEtaMmiJltDGHdi2jGOYVZpp0c5LGNcQ==
X-Received: by 10.36.111.4 with SMTP id x4mr28511583itb.144.1507161212368;
 Wed, 04 Oct 2017 16:53:32 -0700 (PDT)
Received: from apteryx (104-222-112-128.cpe.teksavvy.com. [104.222.112.128])
 by smtp.gmail.com with ESMTPSA id q129sm1169222iod.32.2017.10.04.16.53.31
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Wed, 04 Oct 2017 16:53:31 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: Leo Famulari <leo@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails;
 libgit2-0.26.0 and 0.25.1 content hashes fail
References: <877ewf18d4.fsf@HIDDEN> <87wp4e8yk5.fsf@HIDDEN>
 <20171001204237.GA11804@HIDDEN> <87vajxoavx.fsf@HIDDEN>
 <20171002181929.GA10773@HIDDEN> <87infx2mmt.fsf@HIDDEN>
 <20171003142449.GB23431@HIDDEN> <874lrfee45.fsf@HIDDEN>
 <20171004165413.GA4596@HIDDEN>
Date: Wed, 04 Oct 2017 19:53:30 -0400
In-Reply-To: <20171004165413.GA4596@HIDDEN> (Leo Famulari's message of
 "Wed, 4 Oct 2017 12:54:13 -0400")
Message-ID: <87r2uih3lx.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: -0.2 (/)
X-Debbugs-Envelope-To: 28659
Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, 28659 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.2 (/)

--=-=-=
Content-Type: text/plain

Leo Famulari <leo@HIDDEN> writes:

> On Wed, Oct 04, 2017 at 12:22:34AM -0400, Maxim Cournoyer wrote:
>> Here are the first 10 lines of the output:
>> --8<---------------cut here---------------start------------->8---
>> Number of potentially problematic GitHub packages:1011
>> fdupes
>> cbatticon
>> sedsed
>> cpulimit
>> autojump
>> sudo
>
> I think the script is buggy; sudo's source is not downloaded from GitHub
> as far as I can tell.

Good catch! I was assuming empty lists were falsy, but that's not the
case! I've ensured purely boolean predicates now and it gets the list
down to 650.

Here's the corrected script:

--=-=-=
Content-Type: text/plain
Content-Disposition: inline
Content-Description: find-problematic-github-packages.scm

;;; A script to find packages possibly affected by GitHub
;;; infrastructure update that caused minor changes in the
;;; automatically generated tarballs.

(use-modules (ice-9 match)
	     (gnu packages)
	     (guix download)
	     (guix packages))

(define (problematic-uri? uri)

  (define (contains-github-archive? uri)
    (regexp-match? (string-match "github.com/.*/archive/" uri)))

  ;; URI can be a string or a list of string.
  (match uri
    ((uri1 uri2 ...)			;match list of strings
     (not (null? (filter contains-github-archive? uri))))
    (uri1				;match string
     (contains-github-archive? uri1))))

(define (problematic-github-package? package)
  (let ((source (package-source package)))
    (and (origin? source)
	 (eq? (origin-method source) url-fetch)
	 (problematic-uri? (origin-uri source)))))

(define (problematic-github-packages)
  "List of all the potentially problematic GitHub packages."
  (fold-packages (lambda (p r)
		   (if (problematic-github-package? p)
		       (cons p r)
		       r))
		 '()))
(define (main)
  "Find and print the names of the potentially problematic GitHub packages."
  (let ((packages (problematic-github-packages)))
    (format #t "Number of potentially problematic GitHub packages: ~a~%"
	    (length packages))
    (for-each (lambda (p)
		(format #t "~a~%" (package-name p)))
	      packages)))

;;; Run the program.
(main)

--=-=-=
Content-Type: text/plain


And sample output:
--8<---------------cut here---------------start------------->8---
Number of potentially problematic GitHub packages: 650
fdupes
cbatticon
cpulimit
thefuck
thermald
neofetch
autojump
progress
nnn
[...]
wxwidgets
xclip
xcape
sxhkd
maim
slop
tinyxml2
xlsx2csv
--8<---------------cut here---------------end--------------->8---

Maxim

--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 4 Oct 2017 16:54:47 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Oct 04 12:54:47 2017
Received: from localhost ([127.0.0.1]:49151 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dzmwZ-00078X-FA
	for submit <at> debbugs.gnu.org; Wed, 04 Oct 2017 12:54:47 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:43301)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1dzmwX-00078P-LP
 for 28659 <at> debbugs.gnu.org; Wed, 04 Oct 2017 12:54:46 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 055C620BCC;
 Wed,  4 Oct 2017 12:54:45 -0400 (EDT)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Wed, 04 Oct 2017 12:54:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=mesmtp; bh=YhJC5uASzN1BGeVRrsYf5xIkC1v5BEiHEr3t9p
 /4+/I=; b=ncat4q+jDARMOiyvXVIdRmuu3jKyT9Mg45q8Q1bO8z8AEhWn08PUv5
 Ko/4Vcxltyhm1fB1REIG3lVhCfgfYNVh7plDO1mBYVrA46m3++wcS5e12cKB97PN
 7iML/cJpPG/CmD4xlp4sce91nKzVDvdjmxZBdcWMPdrSY+MslVqw0=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=YhJC5uASzN1BGeVRrs
 Yf5xIkC1v5BEiHEr3t9p/4+/I=; b=iYEKvaOPuYxUdXuS0v0mf2H21DDgtsjOgr
 Zt6IRiQuYmu2YNr23mO11vd9NoBs8bFjPutAoPO9cmEuShEAjN+FVNa7vikIxvaC
 nss2d+DwBqPGzi0ZWIQtk5yFB/yzg+7iFjOQpkX1XrDw4+x8FSJDKDiqm6AkIN+S
 AefMIw6D0sOOhQ/GoBkMgMQAhb9h76qBQ6Q1LcT8DeGZxh1JfRpl0PY/X4N++/54
 2FCGZ/3DxPKvrVi1n7ZbqrqNGuhbv7sWS/70bF+zHgvgbOLXdyE37Tjgx8Ti2A2V
 8Ny8BiwaRdTTMB80nFNVEgg0oaB4Ll1wJhq46ouyWLgYjIWXRpDA==
X-ME-Sender: <xms:VBLVWXOUgN2_bR9rgafRTBAWg_kkaDb0t-4_sEuul7T-ChYESz8o0w>
X-Sasl-enc: pe/tntoziZ7+vShxiPRi7qfuHhYa2ML8S57N+AgWone1 1507136084
Received: from localhost (static-63-131-119-230.ngn.onecommunications.net
 [63.131.119.230])
 by mail.messagingengine.com (Postfix) with ESMTPA id B09537FA6B;
 Wed,  4 Oct 2017 12:54:44 -0400 (EDT)
Date: Wed, 4 Oct 2017 12:54:13 -0400
From: Leo Famulari <leo@HIDDEN>
To: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails; libgit2-0.26.0 and 0.25.1
 content hashes fail
Message-ID: <20171004165413.GA4596@HIDDEN>
References: <877ewf18d4.fsf@HIDDEN> <87wp4e8yk5.fsf@HIDDEN>
 <20171001204237.GA11804@HIDDEN> <87vajxoavx.fsf@HIDDEN>
 <20171002181929.GA10773@HIDDEN> <87infx2mmt.fsf@HIDDEN>
 <20171003142449.GB23431@HIDDEN> <874lrfee45.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="tThc/1wpZn/ma/RB"
Content-Disposition: inline
In-Reply-To: <874lrfee45.fsf@HIDDEN>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 28659
Cc: Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@HIDDEN>, 28659 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--tThc/1wpZn/ma/RB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Wed, Oct 04, 2017 at 12:22:34AM -0400, Maxim Cournoyer wrote:
> Here are the first 10 lines of the output:
> --8<---------------cut here---------------start------------->8---
> Number of potentially problematic GitHub packages:1011
> fdupes
> cbatticon
> sedsed
> cpulimit
> autojump
> sudo

I think the script is buggy; sudo's source is not downloaded from GitHub
as far as I can tell.

--tThc/1wpZn/ma/RB
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlnVEjEACgkQJkb6MLrK
fwicpw//TPd2Fr5Mkp503pNfnrN6H0cgir0LGBmdl8FCF1K3BWL9ZVNnI5e0sejW
18dB8FbIOIsVEVpQ7Rru0iqWNZhQsOCw3HgWQgfGoDGn2xSwRKRxT9q51EFPI2uo
/6bBeYaqmRdngjpKtUZVtb25igd3hRZYDznDL5k33tGNXbu9N2hGLy3mIRYwUDAD
JBcujOAucQAqi5WgJhUglqpGSl2tPbxTm4Pqy+xrl6ziYF9dTqbZbsInZ9ZR7XWq
Gop6OOFPC6gtpAVCf1i6j3sl7/6a0N/aISuXGC+U0kZIIknLYM3p8WXWUV3vvRD/
b/bMMZUzNIz210giaYTk8XrQ8YgLnShD+D9x+7pwyyth9rFwN4vXk677vCVo29Dn
CZRBeWcjEQko8KQNhjLNkt9KwVT/HiHEkMf2pcDfHveQVdDMfHWVp4pl+iYMlJcT
opTCjuRHMGP3Hc8Bg+yWz37sGUtieg+iJm4l3KxcBL4dto27B/fCaUpffwAsyEZG
18/c3hsE/08OjAD2eJmzwodjtbRAmBeizpyCXRcOZjqWQ9QFMKetDiAxOjQOtEhs
LCqpgmHbSd3FiQIH+EiXxEXAXGFKRmT9M3LSsFnrevI49AYm+iiOCadcwikqun8t
PH/kaPWcWzGDrVq3Dp8FDqXnRWK5ZVBmGmQmbVslwyk6yzCM2+c=
=pupx
-----END PGP SIGNATURE-----

--tThc/1wpZn/ma/RB--




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 4 Oct 2017 04:22:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Oct 04 00:22:45 2017
Received: from localhost ([127.0.0.1]:47192 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dzbCn-0005EI-HG
	for submit <at> debbugs.gnu.org; Wed, 04 Oct 2017 00:22:45 -0400
Received: from mail-it0-f50.google.com ([209.85.214.50]:56628)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1dzbCk-0005E4-FZ
 for 28659 <at> debbugs.gnu.org; Wed, 04 Oct 2017 00:22:43 -0400
Received: by mail-it0-f50.google.com with SMTP id g18so14028526itg.5
 for <28659 <at> debbugs.gnu.org>; Tue, 03 Oct 2017 21:22:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :user-agent:mime-version;
 bh=SxCIt8rqMqsyWuN6CZqOa2jlWUNCgl/X5hykfLPDAk8=;
 b=PqGBZvC916zz06aomOcewmI7+QRrS6nxZawtxZWXWPgd6Hg1FGf9yiQfCPhY59K3rG
 v6UOk//EZlcLMhjyYDQhVGcrkw22JigaT40XwlkluaFRgzEhyRXKku4XXx3a8YuUamph
 86BTntElm6GI3QZIrCforv2KgbsmypfmvgA9nkROA+TrclPp/V2i3N21Bmag8Y9adLXZ
 KPBuWBWpFjxPs8txifzwzYQtjZ8cw9xhjT73N7o4XYNnL9ixVOtPDso94CrmpbVfRLpJ
 GuZfwGjgsQSTWJ15y2g/G+dS+cpraexLDkwKornA0PgwzzhaxGiaIB6N9ZjhJeWbnpFJ
 5U3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:user-agent:mime-version;
 bh=SxCIt8rqMqsyWuN6CZqOa2jlWUNCgl/X5hykfLPDAk8=;
 b=Jtb0ckmrCKfrg2jYVI6T1zRDgnnk12Ol78cN6tp8v+AhOBJbkwQWQaXxj6tkaPh/CJ
 FxGkdsXc1pAm+Kadb87e9gCp+HktvWYq0OTejq8tPxQ4HRkU2Y5ZtgE30j7vmcpdFEWS
 s3CZMzqZRCqkPuzaaI/GZwm2Tyfgtq9wg34kurETlObFU7MXz1638D132+DL/arEGXAS
 4ePFeoS4ebd7Mpzur17EabXSfNFUvM2/rCLY5FshxIPqGlRmffckWuRdQLcnPhgfGkhf
 4U1qLFmOdVdP26IpZvMcRdsM73b1RjrWTJPkinL8uIQQF1LprHhb7U92OxotNiFodwtJ
 Xigw==
X-Gm-Message-State: AMCzsaVnIKnYsArsql9WCdLTL7SOhCcQ/pPYanoHb1lmcoZBGkJJ1Brc
 m1JpVYJTyy0AP3Fow+05ir8=
X-Google-Smtp-Source: AOwi7QCp6pEl6t/TnkntKmW22MZS4bpnF5PhcBxSjk+Om6tw85VWmdwxVm33KuI/Bjekss8+iwVPDw==
X-Received: by 10.36.29.137 with SMTP id 131mr27890627itj.91.1507090956674;
 Tue, 03 Oct 2017 21:22:36 -0700 (PDT)
Received: from apteryx (104-222-112-128.cpe.teksavvy.com. [104.222.112.128])
 by smtp.gmail.com with ESMTPSA id v33sm6704548iov.46.2017.10.03.21.22.35
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Tue, 03 Oct 2017 21:22:36 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: Leo Famulari <leo@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails;
 libgit2-0.26.0 and 0.25.1 content hashes fail
References: <877ewf18d4.fsf@HIDDEN> <87wp4e8yk5.fsf@HIDDEN>
 <20171001204237.GA11804@HIDDEN> <87vajxoavx.fsf@HIDDEN>
 <20171002181929.GA10773@HIDDEN> <87infx2mmt.fsf@HIDDEN>
 <20171003142449.GB23431@HIDDEN>
Date: Wed, 04 Oct 2017 00:22:34 -0400
In-Reply-To: <20171003142449.GB23431@HIDDEN> (Leo Famulari's message of
 "Tue, 3 Oct 2017 10:24:49 -0400")
Message-ID: <874lrfee45.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: -0.2 (/)
X-Debbugs-Envelope-To: 28659
Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, 28659 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.2 (/)

--=-=-=
Content-Type: text/plain

Leo Famulari <leo@HIDDEN> writes:

> On Mon, Oct 02, 2017 at 06:47:06PM -0400, Maxim Cournoyer wrote:
>> Leo Famulari <leo@HIDDEN> writes:
>> > I wonder, are there really that many affected packages?
>> 
>> There's a list here:
>> https://github.com/Homebrew/homebrew-core/issues/18044, compiled by one
>> of the homebrew project's maintainers.
>
> I meant, how many Guix packages use the auto-generated GitHub snapshots?
>
> I believe the tell-tale sign is that the download link will have the
> link text 'Source code', as for this release:
>
> https://github.com/libgit2/libgit2/releases/tag/v0.26.0

The following script:

--=-=-=
Content-Type: text/plain
Content-Disposition: inline
Content-Description: find-affected-github-packages.scm

;;; A script to find packages possibly affected by GitHub
;;; infrastructure update that caused minor changes in the
;;; automatically generated tarballs.

(use-modules (ice-9 match)
	     (gnu packages)
	     (guix download)
	     (guix packages))

(define (problematic-uri? uri)

  (define (contains-github-archive? uri)
    (string-match "github.com/.*/archive/" uri))

  ;; URI can be a string or a list of string.
  (match uri
    ((uri1 uri2 ...)			;match list of strings
     (filter contains-github-archive? uri))
    (uri1				;match string
     (contains-github-archive? uri1))))

(define (problematic-github-package? package)
  (let ((source (package-source package)))
    (and (origin? source)
	 (eq? (origin-method source) url-fetch)
	 (problematic-uri? (origin-uri source)))))

(define (problematic-github-packages)
  "List of all the potentially problematic GitHub packages."
  (fold-packages (lambda (p r)
		   (if (problematic-github-package? p)
		       (cons p r)
		       r))
		 '()))
(define (main)
  "Find and print the names of the potentially problematic GitHub packages."
  (let ((packages (problematic-github-packages)))
    (format #t "Number of potentially problematic GitHub packages:~a~%"
	    (length packages))
    (for-each (lambda (p)
		(format #t "~a~%" (package-name p)))
	      packages)))

;;; Run the program.
(main)

--=-=-=
Content-Type: text/plain


outputs that there could be up to 1011 affected packages.

The scripts checks for a url-fetch uri of the form
"github.com/.*/archive/", which seems to be the one used for the
dynamically generated archives.

Here are the first 10 lines of the output:
--8<---------------cut here---------------start------------->8---
Number of potentially problematic GitHub packages:1011
fdupes
cbatticon
sedsed
cpulimit
autojump
sudo
thermald
progress
dstat
[...]
--8<---------------cut here---------------end--------------->8---

I've checked the first few with for example:
--8<---------------cut here---------------start------------->8---
guix build --source --no-substitutes sedsed
--8<---------------cut here---------------end--------------->8---

and they were OK though.

Maxim

--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 3 Oct 2017 14:24:54 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 03 10:24:54 2017
Received: from localhost ([127.0.0.1]:46404 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dzO7w-0002tH-Kw
	for submit <at> debbugs.gnu.org; Tue, 03 Oct 2017 10:24:54 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:58875)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1dzO7u-0002t7-Ib
 for 28659 <at> debbugs.gnu.org; Tue, 03 Oct 2017 10:24:50 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 7CDE02064D;
 Tue,  3 Oct 2017 10:24:50 -0400 (EDT)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Tue, 03 Oct 2017 10:24:50 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=mesmtp; bh=W97x2vA67qiUh0oj+ju820Nzcdw4KZNg8JEjPC
 6Aeeg=; b=PnMZBsXzoScnEPDhidgWVF7+R4QmEra7q9+8O2DZwOUw6Q9/AOdhhu
 11kqhw0wnKvpIUxdMIUnOThDrmICNkQs1xkTyH3nUfWmmKkeUQDTey9ruOAXym7/
 J9YgBeWKGjYihpFgT4VHQI2BQCZbGn9rmsTl5Cif8QJUzZH0acODk=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=W97x2vA67qiUh0oj+j
 u820Nzcdw4KZNg8JEjPC6Aeeg=; b=AffQrcYKUy0q8o16vRuMr2E5NJt5bTcgq/
 yYKnxfSZv3Bl/vQZv/MSyeLDfpuqEU5KG90TLSznlzKK15EF+3IXIikRVJ5zv++x
 0YAaI5a4RcummY2AoEZBXMQHQ3k1WCMXngNbet+A5qPhRcVpreTHh2Blj0UZBx4Z
 JkE1jHMDtlLBrHdjgVMPhy2CIJuMV9hA2c2YHqC4CrMk0WZG8ON4pPQ8SNPU4ECI
 ntImeoLra/ICM8nQ58j/eMzqNx7B7PtAJrb9fqBga5eh6tFX2uL6OJlEf1gI0oKy
 ZVZ+B6Fi8M+HsF92lbvFwndRzuYp1GacwPL2GLfzGjKU/r0s08wQ==
X-ME-Sender: <xms:sp3TWQ1PBFEDPhJqIBeKHL-x0zlqhnJprS7lFmGkqSPRKNPJJuvvhQ>
X-Sasl-enc: T0KG4TQzgKpEWMPhPiexEv473sQ7i4k4F3c+Pl6Y1ywa 1507040690
Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70])
 by mail.messagingengine.com (Postfix) with ESMTPA id 37FC57FA80;
 Tue,  3 Oct 2017 10:24:50 -0400 (EDT)
Date: Tue, 3 Oct 2017 10:24:49 -0400
From: Leo Famulari <leo@HIDDEN>
To: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails; libgit2-0.26.0 and 0.25.1
 content hashes fail
Message-ID: <20171003142449.GB23431@HIDDEN>
References: <877ewf18d4.fsf@HIDDEN> <87wp4e8yk5.fsf@HIDDEN>
 <20171001204237.GA11804@HIDDEN> <87vajxoavx.fsf@HIDDEN>
 <20171002181929.GA10773@HIDDEN> <87infx2mmt.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="0eh6TmSyL6TZE2Uz"
Content-Disposition: inline
In-Reply-To: <87infx2mmt.fsf@HIDDEN>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 28659
Cc: Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@HIDDEN>, 28659 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--0eh6TmSyL6TZE2Uz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Oct 02, 2017 at 06:47:06PM -0400, Maxim Cournoyer wrote:
> Leo Famulari <leo@HIDDEN> writes:
> > I wonder, are there really that many affected packages?
>=20
> There's a list here:
> https://github.com/Homebrew/homebrew-core/issues/18044, compiled by one
> of the homebrew project's maintainers.

I meant, how many Guix packages use the auto-generated GitHub snapshots?

I believe the tell-tale sign is that the download link will have the
link text 'Source code', as for this release:

https://github.com/libgit2/libgit2/releases/tag/v0.26.0

--0eh6TmSyL6TZE2Uz
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlnTnbEACgkQJkb6MLrK
fwgIQA//Wg9T8UTUJy67D5QirTKifuoVyyC/5u8FloLZ/qp/7yPybSUgkM6GixOm
GM71mwhUFYnzmRzm0kO0u0bKPudby7lsncrx8ZuI3tekMCeagSqs11nEyAAn+R5x
CkFAtKniUi9HAWmucU+VXwFjPwhbmNF30KU2bo3x5sYac/Q6wsyAeUhts3FoyoC0
NY/OYBuY1NmKcRC4cHBP80xymvlDPJsiqNsIKzUDwqqDRxnKZWt1CccgZ3ry8xwz
teZchapxM4ppM0wEelSkCkxSc4cJIMARII6FENDZbKJ9vtXr+oIu/KiMWqLSSRaG
YACujowNL1LOlLz8NOR4TmeGVC7nvtC2h1RN9e+VOBTiqooBOeIoRsqRTPf+S08I
PWx7qMFkoq3SCKCXNq8y+Rw2mM/bu3J7x7J1EkcoX5GBy2rCNdwLKIbWgtmD3fes
SC0EnS0TWIfGHMWF1eXSF/RcReVF4WOd4RRhekU3eebm8XFQ6pJe2ojMtK0xClUl
Eg+cXV0o/eyLi8GeuFX2t6ecvzdP7yLAOcwDxNquOnHawfDdKSk++6mH6dqRWwsC
FyZ3lFI3RHzu//G3m76pj3B8WEe8htHSq6Qm+zKdXVqulmGiyHkvEVvbeK2CsnKb
KMmn98/ZtnhBwrJgVjR5pF0zjAtCVSCVZpBtg1CQQEQlyKC4b00=
=iPiB
-----END PGP SIGNATURE-----

--0eh6TmSyL6TZE2Uz--




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 3 Oct 2017 12:31:33 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 03 08:31:33 2017
Received: from localhost ([127.0.0.1]:45370 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dzMMH-00080M-HY
	for submit <at> debbugs.gnu.org; Tue, 03 Oct 2017 08:31:33 -0400
Received: from eggs.gnu.org ([208.118.235.92]:56501)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1dzMMG-00080A-2f
 for 28659 <at> debbugs.gnu.org; Tue, 03 Oct 2017 08:31:32 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1dzMM5-0006Eb-DP
 for 28659 <at> debbugs.gnu.org; Tue, 03 Oct 2017 08:31:27 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD,
 URIBL_BLOCKED autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:60027)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1dzMM5-0006EF-AL; Tue, 03 Oct 2017 08:31:21 -0400
Received: from [193.50.110.164] (port=35912 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1dzMM4-00078N-Rw; Tue, 03 Oct 2017 08:31:21 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails;
 libgit2-0.26.0 and 0.25.1 content hashes fail
References: <877ewf18d4.fsf@HIDDEN> <87wp4e8yk5.fsf@HIDDEN>
 <20171001204237.GA11804@HIDDEN> <87vajxoavx.fsf@HIDDEN>
 <20171002181929.GA10773@HIDDEN> <87infx2mmt.fsf@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 12 =?utf-8?Q?Vend=C3=A9miaire?= an 226 de la
 =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Tue, 03 Oct 2017 14:31:19 +0200
In-Reply-To: <87infx2mmt.fsf@HIDDEN> (Maxim Cournoyer's message of "Mon, 02
 Oct 2017 18:47:06 -0400")
Message-ID: <87wp4c8lbc.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 28659
Cc: 28659 <at> debbugs.gnu.org, Leo Famulari <leo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis:

> Leo Famulari <leo@HIDDEN> writes:
>
>> On Mon, Oct 02, 2017 at 04:57:38PM +0200, Ludovic Court=C3=A8s wrote:
>>> Hi!
>>>=20
>>> Leo Famulari <leo@HIDDEN> skribis:
>>>=20
>>> > I contacted GitHub about this issue a few weeks ago and they said tha=
t:
>>> >
>>> > 1) They do not guarantee bit-reproducibility of the snapshots they
>>> > generate automatically for each release tag, and they wish that people
>>> > would not rely on them as we do. However, since people *are* relying =
on
>>> > them, they are discussing this issue internally.
>>>=20
>>> Oh?!  Then we=E2=80=99re in trouble.
>>
>> I wonder, are there really that many affected packages?
>
> There's a list here:
> https://github.com/Homebrew/homebrew-core/issues/18044, compiled by one
> of the homebrew project's maintainers.

Interesting.  Thanks for the link!

Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 3 Oct 2017 12:30:55 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 03 08:30:55 2017
Received: from localhost ([127.0.0.1]:45366 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dzMLf-0007z2-3z
	for submit <at> debbugs.gnu.org; Tue, 03 Oct 2017 08:30:55 -0400
Received: from eggs.gnu.org ([208.118.235.92]:56154)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1dzMLd-0007yl-2i
 for 28659 <at> debbugs.gnu.org; Tue, 03 Oct 2017 08:30:53 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1dzMLU-00055R-4h
 for 28659 <at> debbugs.gnu.org; Tue, 03 Oct 2017 08:30:48 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD,
 URIBL_BLOCKED autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:59996)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1dzMLF-0004gN-OZ; Tue, 03 Oct 2017 08:30:29 -0400
Received: from [193.50.110.164] (port=35780 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1dzMLF-00070h-BS; Tue, 03 Oct 2017 08:30:29 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Jan Nieuwenhuizen <janneke@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails;
 libgit2-0.26.0 and 0.25.1 content hashes fail
References: <877ewf18d4.fsf@HIDDEN> <87o9ppoabw.fsf@HIDDEN>
 <20171002182208.GB10773@HIDDEN> <878tgt721q.fsf@HIDDEN>
 <87a8198fli.fsf@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 12 =?utf-8?Q?Vend=C3=A9miaire?= an 226 de la
 =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Tue, 03 Oct 2017 14:30:26 +0200
In-Reply-To: <87a8198fli.fsf@HIDDEN> (Jan Nieuwenhuizen's message of "Mon, 02
 Oct 2017 22:22:33 +0200")
Message-ID: <871smk9zx9.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 28659
Cc: 28659 <at> debbugs.gnu.org, Leo Famulari <leo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

Jan Nieuwenhuizen <janneke@HIDDEN> skribis:

> Ludovic Court=C3=A8s writes:

[...]

>> Perhaps we should make content-addressed mirrors configurable in a way
>> that=E2=80=99s orthogonal to derivations, something similar in spirit to
>> --substitute-urls?  The difficulty is that content-addressed mirrors are
>> not just URLs; see (guix download).
>
> Hmm.  I'm not sure what problem we are solving.  Should we only do this
> for github(-like) tarballs?  Do we see this problem with other sources,
> should we prevent it?  Possibly github will never do something like this
> again.  Or we could banish github/gitlab(?) auto-generated tarballs and
> go for git checkouts+commits?

Content-addressed mirrors help with disappearing and modified tarballs
in general; it=E2=80=99s not just GitHub.

Occasionally we see that problem with tarballs coming from elsewhere:
404 is quite frequent, and in-place modification happens from time to
time (even on ftp.gnu.org=E2=80=A6).

Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 2 Oct 2017 22:47:17 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 02 18:47:17 2017
Received: from localhost ([127.0.0.1]:44664 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dz9UZ-0000RU-IU
	for submit <at> debbugs.gnu.org; Mon, 02 Oct 2017 18:47:15 -0400
Received: from mail-qt0-f171.google.com ([209.85.216.171]:43173)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1dz9UY-0000RH-8P
 for 28659 <at> debbugs.gnu.org; Mon, 02 Oct 2017 18:47:14 -0400
Received: by mail-qt0-f171.google.com with SMTP id a43so3939442qta.0
 for <28659 <at> debbugs.gnu.org>; Mon, 02 Oct 2017 15:47:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :user-agent:mime-version:content-transfer-encoding;
 bh=IV34YMIGgSeWULs7nIAynYBzFUXM3MiuGt8ZT/ODvuQ=;
 b=ZjXGunKlbUs6KyOZEoFeySPfcH0nQRUJBCG57lRvuT/rNn67Xkvmhf3uT7S5Bcnpxx
 ng8aqx2XYUYGPwEgKxHrCuSc6N/NEFzNaqMin9m1mkSx6SzbVnoOnWGkq0i1UOve+g47
 24Z6jLoMigWInTaS8Na9mM7vBYCSMV1XIVycL5D2f+PtKbBWun6mYQEGnw+MC/YWaCvM
 hsAjn7GpvsarmOkppgMOZnBAX2lwQyC2Nm7mUgV00BRJpzBvTsDIoc/0iqbgHWPziuas
 pSJEslQa4JsYrcQV9jbKvm69jMLhkhQoVyru9M6BR/FoFxr7TSFFt7ennQ5RtWTWoHzg
 mFKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:user-agent:mime-version:content-transfer-encoding;
 bh=IV34YMIGgSeWULs7nIAynYBzFUXM3MiuGt8ZT/ODvuQ=;
 b=qT50cpnTE+TiEYL2FtxDX0JpmJpcn5zrwaAXMQUyR/WE7GugFpROBaUp0ANYi9LdCy
 xJ6V2vS7c7zyehy/wLb7n8CYfYlwaiQVt1DecKQSE7M1BHhrhKbo323oLgsIxJ5t9JRt
 gzUXnul8uIFxwfHc/AFXtgbtNiwP51mg3RkbxdTa0xELsJvuovPCE1Hn8uGkQjr28bxB
 eTqsSWiC6aZBUH1DkQk6jKq5jkIeYg7/7UJO/yI+dcf6e8+fVExZhvqFNzOgGn7ORXPm
 leiPqx+49vh3zHbGKJIKzxP/IwzOQGuWtaumRLrI/HuPCubJpeZncpdYeS0gq/e1WGLy
 gYiQ==
X-Gm-Message-State: AMCzsaXXExKS9SM00CX1Tzj0Mj7E75WHEiAaeZdo13s+As9Si8dyq3JH
 fNOsh1MuGDdZjWSceT5/AYF/KWsj
X-Google-Smtp-Source: AOwi7QAl3rxTdvwHIqnoFJIVa032XP2v0xSzIEXsnXQtSiCIKqmTVhSAzSBywXGkwrea9tPqhdAkMA==
X-Received: by 10.200.44.118 with SMTP id e51mr3631114qta.171.1506984428526;
 Mon, 02 Oct 2017 15:47:08 -0700 (PDT)
Received: from apteryx (104-222-112-128.cpe.teksavvy.com. [104.222.112.128])
 by smtp.gmail.com with ESMTPSA id u17sm7836456qtc.15.2017.10.02.15.47.07
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Mon, 02 Oct 2017 15:47:07 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: Leo Famulari <leo@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails;
 libgit2-0.26.0 and 0.25.1 content hashes fail
References: <877ewf18d4.fsf@HIDDEN> <87wp4e8yk5.fsf@HIDDEN>
 <20171001204237.GA11804@HIDDEN> <87vajxoavx.fsf@HIDDEN>
 <20171002181929.GA10773@HIDDEN>
Date: Mon, 02 Oct 2017 18:47:06 -0400
In-Reply-To: <20171002181929.GA10773@HIDDEN> (Leo Famulari's message of
 "Mon, 2 Oct 2017 14:19:29 -0400")
Message-ID: <87infx2mmt.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.5 (/)
X-Debbugs-Envelope-To: 28659
Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, 28659 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.5 (/)

Leo Famulari <leo@HIDDEN> writes:

> On Mon, Oct 02, 2017 at 04:57:38PM +0200, Ludovic Court=C3=A8s wrote:
>> Hi!
>>=20
>> Leo Famulari <leo@HIDDEN> skribis:
>>=20
>> > I contacted GitHub about this issue a few weeks ago and they said that:
>> >
>> > 1) They do not guarantee bit-reproducibility of the snapshots they
>> > generate automatically for each release tag, and they wish that people
>> > would not rely on them as we do. However, since people *are* relying on
>> > them, they are discussing this issue internally.
>>=20
>> Oh?!  Then we=E2=80=99re in trouble.
>
> I wonder, are there really that many affected packages?

There's a list here:
https://github.com/Homebrew/homebrew-core/issues/18044, compiled by one
of the homebrew project's maintainers.

Maxim




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 2 Oct 2017 20:29:16 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 02 16:29:16 2017
Received: from localhost ([127.0.0.1]:44589 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dz7L2-0005Kn-7d
	for submit <at> debbugs.gnu.org; Mon, 02 Oct 2017 16:29:16 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:55987)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1dz7Kw-0005KV-Ey
 for 28659 <at> debbugs.gnu.org; Mon, 02 Oct 2017 16:29:10 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id B00BB22840;
 Mon,  2 Oct 2017 16:29:09 -0400 (EDT)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Mon, 02 Oct 2017 16:29:09 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=mesmtp; bh=we671giaR7IBvrqX26SP/SKyAZuzWTqWxokP8W
 +BBVA=; b=OVrEGVKUnSDlGwNgXVHfpZqNCtbY3q6yimBbAITV7mUbSkzLjZv4e4
 UcxJz33lQDEWLVy+8Uh9vpCyIbN9eL6hU05XjC4adetbUyOdw/KviUVYmNwR+hl4
 oQJss/gu3RNjLGuEkvhinMMHuwCEcsoM55nCW5i4g+pnXs/7cNekw=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=we671giaR7IBvrqX26
 SP/SKyAZuzWTqWxokP8W+BBVA=; b=EOIkd7iWjhPt+tUMpeEcoYw1nGET0y665m
 fYvJmwdKz7PF0qbNrCxSSFYbdZBkK1zLT3k9x1HPF988g9QkWqAgNEN5vWuBhU8U
 UTfy3ASXg4FEcEQ1FJQwG4/kcvHPJuB6Xcg6mPqEVlZCfpyFxjsF0DHDgvKVyvIy
 m24YGA4+wUwgKHRSKO5YmK/gpcPdiCzuEM/1TsxUE/PHylh2V2jBVJoJ+7BfMhZF
 pmHlEINVVeMwa5Ui3xK4Qgde/mQt96l/ckNgYjqfO7r6rDPHW5P3+nLVWuvncvqT
 iBwz2IoTpGEAzJ+gDp6Czz9mhynXQeBlQu1q24gsbSF5qmmxa4gA==
X-ME-Sender: <xms:laHSWTf1TqzQRRED5QfVsjCAnLu05nuVI7HmHVQiD1wlweMYIsDsCw>
X-Sasl-enc: gCr/REJKc0PM5rmYgJq1OMzdD9QPZQlMZyFE8arRG+wq 1506976149
Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70])
 by mail.messagingengine.com (Postfix) with ESMTPA id 572027F9CC;
 Mon,  2 Oct 2017 16:29:09 -0400 (EDT)
Date: Mon, 2 Oct 2017 16:29:07 -0400
From: Leo Famulari <leo@HIDDEN>
To: Jan Nieuwenhuizen <janneke@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails; libgit2-0.26.0 and 0.25.1
 content hashes fail
Message-ID: <20171002202907.GA23960@HIDDEN>
References: <877ewf18d4.fsf@HIDDEN> <87o9ppoabw.fsf@HIDDEN>
 <20171002182208.GB10773@HIDDEN> <878tgt721q.fsf@HIDDEN>
 <87a8198fli.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="Kj7319i9nmIyA2yE"
Content-Disposition: inline
In-Reply-To: <87a8198fli.fsf@HIDDEN>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 28659
Cc: Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@HIDDEN>, 28659 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--Kj7319i9nmIyA2yE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Mon, Oct 02, 2017 at 10:22:33PM +0200, Jan Nieuwenhuizen wrote:
> Hmm.  I'm not sure what problem we are solving.  Should we only do this
> for github(-like) tarballs?  Do we see this problem with other sources,
> should we prevent it?  Possibly github will never do something like this
> again.  Or we could banish github/gitlab(?) auto-generated tarballs and
> go for git checkouts+commits?

Files referenced by URL (location-addressing vs content-addressing) have
been changed in place by a variety of hosters and upstream projects
since I've started paying attention to these issues. I don't think we
need to do anything special regarding GitHub.

--Kj7319i9nmIyA2yE
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlnSoZMACgkQJkb6MLrK
fwgprRAAncJAFH/BMSTVqiV8vTF9mvsS8qFSaX1Vfj6XLPa3WpwoobMi6JOZQ1PG
jSWwudvXNdVRljU337d3XpcFEHZdau6BYwgMg52RcQv8Tzd2rgG50alJT5PkrTb0
7Gs4QiTQbJbWkQWJBPZ0g6nvFctj30H2AtFRp91hrQbo1mKt0X+VHjEQavzZ162z
8xLTQ+fYt8/GtZB3EDKk4o0in+HpLSZTIasDmsNsmscEREXic0eEnUlASA56WhrU
gXK82rqD36Vdvn5LJKfWfHFN24hHe/4gv3PT5DnaqmyI8Qz7D0UNcIGpOQM+NN1U
Pg3ugWXHSxyvT9bXJtK/LNATO6/02W7hVB44Hzh1Bw0FD5svD9wCXkzXNojCjqn1
wWGVQ45xMk+Ach5VIntmH6gqLu5dVyFRcS1RX9/osBOPxO6A8SLAiod6XWcp7j/a
7VueoRU6wnsaZ7eIgjUZ59tAu/PUs5+XprFvz1oDfjKqS1hS8gyhncd83LEpdOma
7XXWON82W8xSZfK7mHOsdkje2O5LF1jygqhjJRtCYbhiPmhHC0FUCtue61lT2CH4
YUNDRyaJbnF3d4suGS/yftLFpEyZ/1sandASq643lAHO05lCsBwkcrr2AoA9a5zE
1dLX0qja45/Mf4oJkQUdzyO9kw7vgfvbNhPjvuDJ8mm2S11vWYU=
=XoO+
-----END PGP SIGNATURE-----

--Kj7319i9nmIyA2yE--




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 2 Oct 2017 20:23:06 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 02 16:23:06 2017
Received: from localhost ([127.0.0.1]:44581 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dz7F2-0005B8-G7
	for submit <at> debbugs.gnu.org; Mon, 02 Oct 2017 16:23:06 -0400
Received: from eggs.gnu.org ([208.118.235.92]:59974)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <janneke@HIDDEN>) id 1dz7F1-0005AR-1i
 for 28659 <at> debbugs.gnu.org; Mon, 02 Oct 2017 16:23:03 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <janneke@HIDDEN>) id 1dz7Er-0006WC-P3
 for 28659 <at> debbugs.gnu.org; Mon, 02 Oct 2017 16:22:57 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:47492)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <janneke@HIDDEN>)
 id 1dz7Eb-0006C3-17; Mon, 02 Oct 2017 16:22:37 -0400
Received: from peder.onsbrabantnet.nl ([88.159.206.46]:51076
 helo=dundal.peder.onsbrabantnet.nl)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <janneke@HIDDEN>)
 id 1dz7Ea-0003Xl-IH; Mon, 02 Oct 2017 16:22:36 -0400
From: Jan Nieuwenhuizen <janneke@HIDDEN>
To: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: bug#28659: v0.13: guix pull fails;
 libgit2-0.26.0 and 0.25.1 content hashes fail
Organization: AvatarAcademy.nl
References: <877ewf18d4.fsf@HIDDEN> <87o9ppoabw.fsf@HIDDEN>
 <20171002182208.GB10773@HIDDEN> <878tgt721q.fsf@HIDDEN>
X-Url: http://AvatarAcademy.nl
Date: Mon, 02 Oct 2017 22:22:33 +0200
In-Reply-To: <878tgt721q.fsf@HIDDEN> ("Ludovic
 \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
 \=\?utf-8\?Q\?s\?\= message of "Mon, 02 Oct 2017 22:00:33 +0200")
Message-ID: <87a8198fli.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 28659
Cc: 28659 <at> debbugs.gnu.org, Leo Famulari <leo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

Ludovic Court=C3=A8s writes:

> Right.  Jan suggested checking the content-addressed mirrors *before*
> the real upstream address.  That would address the problem of upstream
> sources modified in-place, but at the cost of privacy/self-sufficiency
> as you note.  (Though it=E2=80=99s not really making =E2=80=9Cprivacy=E2=
=80=9D any worse in this
> case: it=E2=80=99s gnu.org vs. github.com.)

Yes, that may not preferrable in general without override.

> Perhaps we should make content-addressed mirrors configurable in a way
> that=E2=80=99s orthogonal to derivations, something similar in spirit to
> --substitute-urls?  The difficulty is that content-addressed mirrors are
> not just URLs; see (guix download).

Hmm.  I'm not sure what problem we are solving.  Should we only do this
for github(-like) tarballs?  Do we see this problem with other sources,
should we prevent it?  Possibly github will never do something like this
again.  Or we could banish github/gitlab(?) auto-generated tarballs and
go for git checkouts+commits?

janneke

--=20
Jan Nieuwenhuizen <janneke@HIDDEN> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar=C2=AE http://AvatarAcademy.com




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 2 Oct 2017 20:00:56 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 02 16:00:56 2017
Received: from localhost ([127.0.0.1]:44569 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dz6tb-0004dA-Om
	for submit <at> debbugs.gnu.org; Mon, 02 Oct 2017 16:00:55 -0400
Received: from eggs.gnu.org ([208.118.235.92]:50435)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1dz6tZ-0004cx-Oc
 for 28659 <at> debbugs.gnu.org; Mon, 02 Oct 2017 16:00:54 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1dz6tT-00070j-JV
 for 28659 <at> debbugs.gnu.org; Mon, 02 Oct 2017 16:00:48 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:46648)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1dz6tK-0006vF-08; Mon, 02 Oct 2017 16:00:38 -0400
Received: from vpn-0-27.aquilenet.fr ([2a01:474:4:27::]:60086 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1dz6tJ-0001tZ-6o; Mon, 02 Oct 2017 16:00:37 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Leo Famulari <leo@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails;
 libgit2-0.26.0 and 0.25.1 content hashes fail
References: <877ewf18d4.fsf@HIDDEN> <87o9ppoabw.fsf@HIDDEN>
 <20171002182208.GB10773@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 11 =?utf-8?Q?Vend=C3=A9miaire?= an 226 de la
 =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Mon, 02 Oct 2017 22:00:33 +0200
In-Reply-To: <20171002182208.GB10773@HIDDEN> (Leo Famulari's message of
 "Mon, 2 Oct 2017 14:22:08 -0400")
Message-ID: <878tgt721q.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 28659
Cc: 28659 <at> debbugs.gnu.org, Jan Nieuwenhuizen <janneke@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

Leo Famulari <leo@HIDDEN> skribis:

> On Mon, Oct 02, 2017 at 05:09:39PM +0200, Ludovic Court=C3=A8s wrote:
>> What=E2=80=99s sad here is that we do have the right tarball at:
>>=20
>>   https://mirror.hydra.gnu.org/file/libgit2-0.25.1.tar.gz/sha256/1cdwcw3=
8frc1wf28x5ppddazv9hywc718j92f3xa3ybzzycyds3s

Just to be clear: this URL is not that of a substitute, but that of a
content-addressed file (corresponding to the output of a fixed-output
derivation.)

> It seems to me that there are several reasons someone may choose not to
> use substitutes. Some of those reasons (reproducibility and security
> concerns) are obviated for fixed-output derivations like upstream
> sources, and I think it would be fine to still use substitutes for these
> derivations.
>
> But the motivations of privacy, self-sufficiency, etc are not addressed
> by that idea.

Right.  Jan suggested checking the content-addressed mirrors *before*
the real upstream address.  That would address the problem of upstream
sources modified in-place, but at the cost of privacy/self-sufficiency
as you note.  (Though it=E2=80=99s not really making =E2=80=9Cprivacy=E2=80=
=9D any worse in this
case: it=E2=80=99s gnu.org vs. github.com.)

Perhaps we should make content-addressed mirrors configurable in a way
that=E2=80=99s orthogonal to derivations, something similar in spirit to
--substitute-urls?  The difficulty is that content-addressed mirrors are
not just URLs; see (guix download).

Thoughts?

Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 2 Oct 2017 18:22:12 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 02 14:22:12 2017
Received: from localhost ([127.0.0.1]:44525 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dz5M3-00028T-US
	for submit <at> debbugs.gnu.org; Mon, 02 Oct 2017 14:22:12 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:54951)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1dz5M1-00028L-9d
 for 28659 <at> debbugs.gnu.org; Mon, 02 Oct 2017 14:22:09 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 3B37522853;
 Mon,  2 Oct 2017 14:22:09 -0400 (EDT)
Received: from frontend2 ([10.202.2.161])
 by compute4.internal (MEProxy); Mon, 02 Oct 2017 14:22:09 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=mesmtp; bh=2l77qxbpjzWfJLk4n5flFQmnTkJqITWFJpa/H3
 mJhDk=; b=B03VV/vBuaK8g/22BWkYwHWFq25GcuYvzRrvAbRGJJPczEC/ILJKEc
 84NpJZDpSJEkTFjqjtipGL8FEXafLmIxnF8MYz7SwoZSjiVnr3VhWVVq8oV3wZcS
 q7MCiyo8ZVNBcIw7Ci2FhCMWgkDJBxmFUAth4dk/1fYXoLSAatZxk=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=2l77qxbpjzWfJLk4n5
 flFQmnTkJqITWFJpa/H3mJhDk=; b=U5SvRy9rsKVrCjAi3DoIRIaDwat8aUIE6g
 OojuVkQT/bcsZkRMk3bUQ3JJ3MD/lF29ygVAykh4XgGYUKEagtwGJCWWyn3W7Ygy
 KHJ/yuISMEv68FViH199DegxnvSSiRKegIDVcyCsIdUNetUNXJ7DoXFNF1KazlrU
 7PxbuJ9Ax3QizOzjrwP11NoivJu4aVtUNMFFC2mNx1818dXmtYjk5BzihvwYIaWg
 HefYRr9iuc9uwwAQFAD6/9CrBYrbiVZix30dzOscpSKyTS2GEDsnSrLV2+jGU911
 rSv1m/8pz8WxOKTUhh0HLEOJXpeES1XN4yUO9L8HnbxrV/M2oJDw==
X-ME-Sender: <xms:0YPSWVkdsYdkfxscJjTxGeLYk7c1yyH1NcQDypLiX4h240IHmmHNeA>
X-Sasl-enc: /eiJI/oC2ss+Vu3BOlU4HqgZ/Yk59XA7Ofa/sPufX8HI 1506968528
Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70])
 by mail.messagingengine.com (Postfix) with ESMTPA id DECBF24724;
 Mon,  2 Oct 2017 14:22:08 -0400 (EDT)
Date: Mon, 2 Oct 2017 14:22:08 -0400
From: Leo Famulari <leo@HIDDEN>
To: Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails; libgit2-0.26.0 and 0.25.1
 content hashes fail
Message-ID: <20171002182208.GB10773@HIDDEN>
References: <877ewf18d4.fsf@HIDDEN>
 <87o9ppoabw.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="tjCHc7DPkfUGtrlw"
Content-Disposition: inline
In-Reply-To: <87o9ppoabw.fsf@HIDDEN>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 28659
Cc: 28659 <at> debbugs.gnu.org, Jan Nieuwenhuizen <janneke@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--tjCHc7DPkfUGtrlw
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Oct 02, 2017 at 05:09:39PM +0200, Ludovic Court=C3=A8s wrote:
> What=E2=80=99s sad here is that we do have the right tarball at:
>=20
>   https://mirror.hydra.gnu.org/file/libgit2-0.25.1.tar.gz/sha256/1cdwcw38=
frc1wf28x5ppddazv9hywc718j92f3xa3ybzzycyds3s

It seems to me that there are several reasons someone may choose not to
use substitutes. Some of those reasons (reproducibility and security
concerns) are obviated for fixed-output derivations like upstream
sources, and I think it would be fine to still use substitutes for these
derivations.

But the motivations of privacy, self-sufficiency, etc are not addressed
by that idea.

--tjCHc7DPkfUGtrlw
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlnSg88ACgkQJkb6MLrK
fwgqYA//Zwe4/WDJ9Hp622dJYZtUbjlsugX44QQIfZY65NNMfhEMdtct9SyiDzHR
mxvGdSf4kBKI+wdYcJIn5CtFJRD+Bz0zCc94tRlNk+W8bcJt2fJIqWJpGjW0VINI
oCp1mu2q+SgDWzOoB3owQyiOu+txm9eB5ZjrUvd+gp++TmbedkAENLBiAaoYZD9E
mXrpjMWq2MCTTACzCLQZU0OxffQlL/4UKq1M9qfdWWDi9V/dZ8jBsz9HHcKzt8Kv
gUUFUAGDe5/o7pXf73PW+S67AvbDZrPQN2V0yckpC3yb/ZqawzWiu2Y3zrW2ISNm
egzs40CLK2oKowl47nrO+Etb5MxmNbZPDjgqiN1WXjFfSm8YcdzAAOKR8jX8ocC6
vzcoHd0iBbfLyK5fFInixwx7ct1AArtpRK1BoC7D7z3+82VQmu/KMxoWInxI0DLF
CdfYO9AydgvCW+qiUOAa6I6xMNvDCvkHoJFt5axe4W+JX1WtFsETP+4uLCA5H6TW
I8CvU3eUU0cxGEjHunFtgdmsQx3dYajTiq4aSP9EQMdaHDouBEIRF++LIwuXqqjk
FrcILwnhgw+/gFjs3+Jix4pneqlDS6R2bOSgpehf9NLrHKrbMxUhVGLeyNhYsE7d
9m8sdEwxcXliq1rDcDynqmTDK6f5ij2jdSziUnZScF4DJ976HJ0=
=964r
-----END PGP SIGNATURE-----

--tjCHc7DPkfUGtrlw--




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 2 Oct 2017 18:19:34 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 02 14:19:34 2017
Received: from localhost ([127.0.0.1]:44520 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dz5JW-00023o-Fo
	for submit <at> debbugs.gnu.org; Mon, 02 Oct 2017 14:19:34 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:45897)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1dz5JT-00023f-UX
 for 28659 <at> debbugs.gnu.org; Mon, 02 Oct 2017 14:19:32 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 8427822A60;
 Mon,  2 Oct 2017 14:19:31 -0400 (EDT)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Mon, 02 Oct 2017 14:19:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=mesmtp; bh=SVKXqUHX2uNC4UxhyMbOhp02G/X8RqnceKjzQN
 fVvZI=; b=iI7IjBauqq0WrjE9KJiWTo4PGzz0U9kmCYNLeA8rv7ISrpiSdMv2ly
 6CjWactbzyr0JfbOdfBASdSoCbc4ruM0x26WmIHCqQ145nlv0K1BIfbvdh/c/SaD
 R12VD29gleXLRMV1Z4LQ6HHxCzyA2Re7EWu/0f03aI/puwltdHhBM=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=SVKXqUHX2uNC4UxhyM
 bOhp02G/X8RqnceKjzQNfVvZI=; b=nDhFIcLvMZMHE0Tcv1cmAvf6+UW8l4GY0o
 PeFutm3TzNe3RkoFOewGraJ6zgq4pSG7Y6ySGRNNLaWlaVlBuKA1svzk/t51jFYg
 Dp4hoYlr+Icy6/2edXTqE5GMG8axZSHZLyDhinMIIhRD3NgNP+tTvddNzob8cZS0
 cuT5C4VCwOraeo8/WJCLpgd1KXZc1HLLjn+ZbdbmJGFENW9QiXy2ZnyY+JorNsrl
 fjxmS/iB5o2O1p4X0ZwN2nhIqyHLAynvV874M4IZN3kTPCtKADu+xtUWbpzjxxMz
 46nwqG5aoUYa+LERTJo5dGV63i5XArzWQ+loBL2A1FYv5zdKg2Xg==
X-ME-Sender: <xms:M4PSWdE-cpdLot7enpAAS_M9diQ6FGxyJArtXSmBGV-skA37J_G3Gg>
X-Sasl-enc: LyP40zuUbzPNa7FaT4UOjo3FJiJYYRMlOcUmZAJ78l/X 1506968371
Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70])
 by mail.messagingengine.com (Postfix) with ESMTPA id 34E177FA60;
 Mon,  2 Oct 2017 14:19:31 -0400 (EDT)
Date: Mon, 2 Oct 2017 14:19:29 -0400
From: Leo Famulari <leo@HIDDEN>
To: Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails; libgit2-0.26.0 and 0.25.1
 content hashes fail
Message-ID: <20171002181929.GA10773@HIDDEN>
References: <877ewf18d4.fsf@HIDDEN> <87wp4e8yk5.fsf@HIDDEN>
 <20171001204237.GA11804@HIDDEN> <87vajxoavx.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="YiEDa0DAkWCtVeE4"
Content-Disposition: inline
In-Reply-To: <87vajxoavx.fsf@HIDDEN>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 28659
Cc: 28659 <at> debbugs.gnu.org, Jan Nieuwenhuizen <janneke@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--YiEDa0DAkWCtVeE4
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Oct 02, 2017 at 04:57:38PM +0200, Ludovic Court=C3=A8s wrote:
> Hi!
>=20
> Leo Famulari <leo@HIDDEN> skribis:
>=20
> > I contacted GitHub about this issue a few weeks ago and they said that:
> >
> > 1) They do not guarantee bit-reproducibility of the snapshots they
> > generate automatically for each release tag, and they wish that people
> > would not rely on them as we do. However, since people *are* relying on
> > them, they are discussing this issue internally.
>=20
> Oh?!  Then we=E2=80=99re in trouble.

I wonder, are there really that many affected packages? My sense is that
most GitHub-hosted projects offer their own release tarballs in addition
to the problematic auto-generated snapshots, and we tend to prefer the
upstream-provided tarballs in this case.

We'd need to survey our package sources to know what sort of reaction is
most appropriate.

In general, we should try to make Guix as resilient as possible to
unstable upstream sources, since the problem is not limited to GitHub.

> Perhaps we should start using =E2=80=98git-fetch=E2=80=99 more, with Soft=
ware=C2=A0Heritage
> as a fallback content-addressed mirror?  Though again the difficulty is
> that SWH uses Git=E2=80=99s method to hash directory contents, so we=E2=
=80=99d end up
> having to provide both a Nix hash and a Git hash in =E2=80=98origin=E2=80=
=99.  :-/

And the Git hashes will change from SHA1 to SHA256 sooner or later, and
SHA1 hashes will become less reliable as CPUs get faster (collision
attacks), compounding the problem...

--YiEDa0DAkWCtVeE4
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlnSgy0ACgkQJkb6MLrK
fwhXlA//dSvV1TA7XjxpLsaV9atdgrU7DvsVpuntzeYTmGoSqaQE+ZqlY90/AMkI
B37kgAamMge7cIK4xIYE4QFxiWXBWlEOpIQ98rTPrbVzTAxZPzMu/EWGCQ4pDbmN
ETqPHRrzQARGq8kPJLcKqcwqtQsdina87ITTDzZeYqEuJP90BIwvCWW8MGnJWYh6
3VhHZugZk/5fQQF6Jnv8ILf/BaSqYVsWkrDeuCuNXznUCMT9mfQ/7KvG7nMS6xy8
XNhGGqwsytU4AS4ekOZNtdIhevkFqUdj8t5M2Stp0xcsi4YnvVEi/sio8VbIov7D
jm58w6YtUl1vO+BBIt55c6WJHN9nYxNgemMkrj3n0bsmf7PV/VcbsTg/swCb3J4B
AcedV6RETP8iVB2cYBYCxA38Z+3/FJFyOvERjOkzzurWddMjWpipIsC7atchYUCf
czsLTCCwewieCu7N4yaaIjO3UWbCfq4lDqPsURp5bLtlXdw7NXoDYtvao4TyRjR2
KR3h7Qo6VobgE4jaL0Y/7x2YTXDtPHDpJA4wRLiDkwRj5awJKQ+IyZtr7wZ7jY71
wy0yqck2KfGDnKNCZQUppo93OoJl9JerKtw47CT5cQv+53x52Drr8HdQnLZ7aLlX
tX72HXtHEb41LySXmydDChivReONHpATOrRbLuFfhUHDvHHylL8=
=dby8
-----END PGP SIGNATURE-----

--YiEDa0DAkWCtVeE4--




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 2 Oct 2017 17:05:32 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 02 13:05:32 2017
Received: from localhost ([127.0.0.1]:44459 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dz49r-0006dK-VF
	for submit <at> debbugs.gnu.org; Mon, 02 Oct 2017 13:05:32 -0400
Received: from eggs.gnu.org ([208.118.235.92]:33850)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <janneke@HIDDEN>) id 1dz49q-0006d8-1z
 for 28659 <at> debbugs.gnu.org; Mon, 02 Oct 2017 13:05:30 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <janneke@HIDDEN>) id 1dz49g-0005cy-IE
 for 28659 <at> debbugs.gnu.org; Mon, 02 Oct 2017 13:05:24 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:43685)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <janneke@HIDDEN>)
 id 1dz49P-0005Mm-Ol; Mon, 02 Oct 2017 13:05:03 -0400
Received: from peder.onsbrabantnet.nl ([88.159.206.46]:50868
 helo=dundal.peder.onsbrabantnet.nl)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <janneke@HIDDEN>)
 id 1dz49P-0004qJ-Bk; Mon, 02 Oct 2017 13:05:03 -0400
From: Jan Nieuwenhuizen <janneke@HIDDEN>
To: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: bug#28659: v0.13: guix pull fails;
 libgit2-0.26.0 and 0.25.1 content hashes fail
Organization: AvatarAcademy.nl
References: <877ewf18d4.fsf@HIDDEN> <87o9ppoabw.fsf@HIDDEN>
X-Url: http://AvatarAcademy.nl
Date: Mon, 02 Oct 2017 19:05:00 +0200
In-Reply-To: <87o9ppoabw.fsf@HIDDEN> ("Ludovic
 \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
 \=\?utf-8\?Q\?s\?\= message of "Mon, 02 Oct 2017 17:09:39 +0200")
Message-ID: <87infx8oqr.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 28659
Cc: 28659 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

Ludovic Court=C3=A8s writes:

> What=E2=80=99s sad here is that we do have the right tarball at:
>
>   https://mirror.hydra.gnu.org/file/libgit2-0.25.1.tar.gz/sha256/1cdwcw38=
frc1wf28x5ppddazv9hywc718j92f3xa3ybzzycyds3s

Sad indeed!

> The problem is that the hash check is performed by guix-daemon itself,
> not by =E2=80=9Cguix perform-download=E2=80=9D.  So when guix-daemon diag=
noses a hash
> mismatch, it=E2=80=99s too late and we cannot try again and use the
> content-addressed mirror.

Why don't we try our content-addressed mirror first?

> A crude but helpful fix would be to have perform-download compute the
> hash by itself and act accordingly.  It=E2=80=99s crude because that mean=
s that
> we=E2=80=99d be computing the hash twice: once in =E2=80=98guix perform-d=
ownload=E2=80=99 and a
> second time in guix-daemon.  For archives below ~20=C2=A0MiB it=E2=80=99s=
 probably OK
> though.
>
> Thoughts?

We may want more guix hackers' viewpoints here, I don't feel very
qualified...As this would be a temporary workaround only until we have

> In the future, with the daemon written in Guile, it=E2=80=99s one area wh=
ere we
> could achieve better integration and coordination among the various
> pieces.

...it might be fine?

Do we want/need to bring out a new release for this, e.g. 0.13.1, or
even 0.14?  I'm not sure how bad it is that --no-substitutes does not
work.  I think working on guix pull to not compile everything locally
may have priority?

janneke

--=20
Jan Nieuwenhuizen <janneke@HIDDEN> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar=C2=AE http://AvatarAcademy.com




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.
Severity set to 'important' from 'normal' Request was from ludo@HIDDEN (Ludovic Courtès) to control <at> debbugs.gnu.org. Full text available.
Changed bug title to 'Content-addressed mirror is not used upon invalid hash' from 'v0.13: guix pull fails; libgit2-0.26.0 and 0.25.1 content hashes fail' Request was from ludo@HIDDEN (Ludovic Courtès) to control <at> debbugs.gnu.org. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 2 Oct 2017 15:10:05 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 02 11:10:05 2017
Received: from localhost ([127.0.0.1]:44314 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dz2M9-0001kB-Dm
	for submit <at> debbugs.gnu.org; Mon, 02 Oct 2017 11:10:05 -0400
Received: from eggs.gnu.org ([208.118.235.92]:43477)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1dz2M8-0001je-5S
 for 28659 <at> debbugs.gnu.org; Mon, 02 Oct 2017 11:10:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1dz2Ly-00068m-N1
 for 28659 <at> debbugs.gnu.org; Mon, 02 Oct 2017 11:09:58 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:40754)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1dz2Ll-0005nx-VE; Mon, 02 Oct 2017 11:09:42 -0400
Received: from [193.50.110.164] (port=46120 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1dz2Ll-00026o-IA; Mon, 02 Oct 2017 11:09:41 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Jan Nieuwenhuizen <janneke@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails;
 libgit2-0.26.0 and 0.25.1 content hashes fail
References: <877ewf18d4.fsf@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 11 =?utf-8?Q?Vend=C3=A9miaire?= an 226 de la
 =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Mon, 02 Oct 2017 17:09:39 +0200
In-Reply-To: <877ewf18d4.fsf@HIDDEN> (Jan Nieuwenhuizen's message of "Sun, 01
 Oct 2017 12:16:07 +0200")
Message-ID: <87o9ppoabw.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 28659
Cc: 28659 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

Hello,

Jan Nieuwenhuizen <janneke@HIDDEN> skribis:

> As reported by laertus on irc[0]: guix pull on 0.13 without substitutes f=
ails

I just checked and we do have substitutes, but I understand it doesn=E2=80=
=99t
help here.

>       guix pull
>
>     Starting download of /tmp/guix-file.3r6cH0
>     From https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.g=
z...
>      =E2=80=A6.tar.gz                                   5.7MiB/s 00:02 | =
13.6MiB transferred
>     unpacking '/gnu/store/sginfwnrcfqn1far31gmzlaffd8xlxyy-guix-latest.ta=
r.gz'...
>
>     Starting download of /gnu/store/c3npgqn9ag2ypi9bda1g779wwwlcqqrf-libg=
it2-0.25.1.tar.gz
>     From https://github.com/libgit2/libgit2/archive/v0.25.1.tar.gz...
>     following redirection to `https://codeload.github.com/libgit2/libgit2=
/tar.gz/v0.25.1'...
>      v0.25.1                                     6.1MiB/s 00:01 | 4.1MiB =
transferred
>     output path `/gnu/store/c3npgqn9ag2ypi9bda1g779wwwlcqqrf-libgit2-0.25=
.1.tar.gz' should have sha256 hash `1cdwcw38frc1wf28x5ppddazv9hywc718j92f3x=
a3ybzzycyds3s', instead has `0ywcxw1mwd56c8qc14hbx31bf198gxck3nja3laxyglv7l=
57qp26'

What=E2=80=99s sad here is that we do have the right tarball at:

  https://mirror.hydra.gnu.org/file/libgit2-0.25.1.tar.gz/sha256/1cdwcw38fr=
c1wf28x5ppddazv9hywc718j92f3xa3ybzzycyds3s

The problem is that the hash check is performed by guix-daemon itself,
not by =E2=80=9Cguix perform-download=E2=80=9D.  So when guix-daemon diagno=
ses a hash
mismatch, it=E2=80=99s too late and we cannot try again and use the
content-addressed mirror.

A crude but helpful fix would be to have perform-download compute the
hash by itself and act accordingly.  It=E2=80=99s crude because that means =
that
we=E2=80=99d be computing the hash twice: once in =E2=80=98guix perform-dow=
nload=E2=80=99 and a
second time in guix-daemon.  For archives below ~20=C2=A0MiB it=E2=80=99s p=
robably OK
though.

Thoughts?

In the future, with the daemon written in Guile, it=E2=80=99s one area wher=
e we
could achieve better integration and coordination among the various
pieces.

Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 2 Oct 2017 14:57:56 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 02 10:57:56 2017
Received: from localhost ([127.0.0.1]:44309 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dz2AM-00080r-Tl
	for submit <at> debbugs.gnu.org; Mon, 02 Oct 2017 10:57:56 -0400
Received: from eggs.gnu.org ([208.118.235.92]:39852)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1dz2AL-00080f-7z
 for 28659 <at> debbugs.gnu.org; Mon, 02 Oct 2017 10:57:53 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1dz2AF-0006X8-8F
 for 28659 <at> debbugs.gnu.org; Mon, 02 Oct 2017 10:57:48 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:40310)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1dz2A8-0006Sh-Vl; Mon, 02 Oct 2017 10:57:41 -0400
Received: from [193.50.110.164] (port=45976 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1dz2A8-0005oS-FA; Mon, 02 Oct 2017 10:57:40 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Leo Famulari <leo@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails;
 libgit2-0.26.0 and 0.25.1 content hashes fail
References: <877ewf18d4.fsf@HIDDEN> <87wp4e8yk5.fsf@HIDDEN>
 <20171001204237.GA11804@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 11 =?utf-8?Q?Vend=C3=A9miaire?= an 226 de la
 =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Mon, 02 Oct 2017 16:57:38 +0200
In-Reply-To: <20171001204237.GA11804@HIDDEN> (Leo Famulari's message of
 "Sun, 1 Oct 2017 16:42:37 -0400")
Message-ID: <87vajxoavx.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 28659
Cc: 28659 <at> debbugs.gnu.org, Jan Nieuwenhuizen <janneke@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

Hi!

Leo Famulari <leo@HIDDEN> skribis:

> I contacted GitHub about this issue a few weeks ago and they said that:
>
> 1) They do not guarantee bit-reproducibility of the snapshots they
> generate automatically for each release tag, and they wish that people
> would not rely on them as we do. However, since people *are* relying on
> them, they are discussing this issue internally.

Oh?!  Then we=E2=80=99re in trouble.

Perhaps we should start using =E2=80=98git-fetch=E2=80=99 more, with Softwa=
re=C2=A0Heritage
as a fallback content-addressed mirror?  Though again the difficulty is
that SWH uses Git=E2=80=99s method to hash directory contents, so we=E2=80=
=99d end up
having to provide both a Nix hash and a Git hash in =E2=80=98origin=E2=80=
=99.  :-/

> In the meantime, we can add this to the list of reasons that
> reproducibility is difficult in the long term.

Heh.

Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 1 Oct 2017 21:05:50 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Oct 01 17:05:50 2017
Received: from localhost ([127.0.0.1]:43164 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dylQp-0006X9-9T
	for submit <at> debbugs.gnu.org; Sun, 01 Oct 2017 17:05:50 -0400
Received: from aibo.runbox.com ([91.220.196.211]:36830)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ng0@HIDDEN>) id 1dylQn-0006X1-8I
 for 28659 <at> debbugs.gnu.org; Sun, 01 Oct 2017 17:05:45 -0400
Received: from [10.9.9.210] (helo=mailfront10.runbox.com)
 by mailtransmit02.runbox with esmtp (Exim 4.86_2)
 (envelope-from <ng0@HIDDEN>)
 id 1dylQj-0007kf-A2; Sun, 01 Oct 2017 23:05:41 +0200
Received: from tor-exit-4.all.de ([212.21.66.6] helo=localhost)
 by mailfront10.runbox.com with esmtpsa (uid:892961 )
 (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82)
 id 1dylQb-0001Tr-OA; Sun, 01 Oct 2017 23:05:34 +0200
Date: Sun, 1 Oct 2017 21:05:27 +0000
From: ng0 <ng0@HIDDEN>
To: Leo Famulari <leo@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails; libgit2-0.26.0 and 0.25.1
 content hashes fail
Message-ID: <20171001210527.ym24ubylu7mh5huv@abyayala>
References: <877ewf18d4.fsf@HIDDEN> <87wp4e8yk5.fsf@HIDDEN>
 <20171001204237.GA11804@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="swcmruvmsvfrdmgs"
Content-Disposition: inline
In-Reply-To: <20171001204237.GA11804@HIDDEN>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 28659
Cc: 28659 <at> debbugs.gnu.org, Jan Nieuwenhuizen <janneke@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--swcmruvmsvfrdmgs
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Leo Famulari transcribed 2.3K bytes:
> On Sun, Oct 01, 2017 at 09:20:42PM +0200, Jan Nieuwenhuizen wrote:
> > Jan Nieuwenhuizen writes:
> >=20
> > The changing of the libgit-0.26.0 checksum was already reported about 3
> > weeks ago (github seems to only show relative dates)
> >=20
> >     https://github.com/libgit2/libgit2/issues/4343
> >=20
> > and the bug is still open.  It seems to be a github thing.  As I
> > understand it, currently our options are to update the hash and pray it
> > won't happen again or host libgit2 tarballs ourselves.
>=20
> I contacted GitHub about this issue a few weeks ago and they said that:
>=20
> 1) They do not guarantee bit-reproducibility of the snapshots they
> generate automatically for each release tag, and they wish that people
> would not rely on them as we do. However, since people *are* relying on
> them, they are discussing this issue internally.
> 2) This is the relevant code change:
> https://git.kernel.org/pub/scm/git/git.git/commit/?id=3D22f0dcd9634a818a0=
c83f23ea1a48f2d620c0546
>=20
> In the meantime, we can add this to the list of reasons that
> reproducibility is difficult in the long term.
>=20
> I don't have any solutions in mind besides keeping substitutes available
> for as long as possible and, for users, using substitutes. We might also
> petition upstream projects to offer a "real" release tarball.

Given that we depend on this for our core functionality,
can't we just keep this on our ftp directory at gnu.org
as a fall-back source in a list?

--=20
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://krosos.org/dist/keys/
https://www.infotropique.org https://krosos.org

--swcmruvmsvfrdmgs
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlnRWJcACgkQ4i+bv+40
hYjWWw//Zx+EuYTMEF/nA1o+WwMFjKsZo/kL6zfNektqIsLJSbGkYCUIrAn3Jkur
bL4FJxj4BMxkNHtkkVkUyhYVMalORoJaL0cAr6d/JQkzZswJHkjkzloIgbSdvRpz
PR2u7gIu9DKqs5fE8fbBTYfrm/VwIgmxoZS5Wb8zt/iC5+yZ3+D3PxiU1ujFMtY9
POivSdWH68KsZBw31dQuEoBINWVhwVc2csRloyHjngsxew983usD25rfJJadR1qP
Jm/yjOUmYqqrAfQr0LbHXs+C4Nfj8GL+c05JwgNEC/+6yaCc/Dp0Fa7QyOPbepCI
8hY2XOmTP6AjdQH7WCBwOh/7ZILlhENvOEs6CyW6qeRZgBze/0pvV/lXwbGhbGzF
tqjS/SVieTuaPmQwdLZ2KvKh49bVWVsa56KM2uK0uOl8hobShBHy5VnbHgtgTmea
eVqz1HKKDyjTg+Uzk++jKs7CwYA25BLD8mHqD1Hyg4UAIQtmM1KPmOhPsUuvt7x2
dKmSJiAZlaBTML+uoQ+Yt7Dg/GvM5HDrY6iOVwHvkCbUGuwrArxHXFFBLZ84DkWH
c86aCebP9wUqEJvogDEvq4XPBVDyLu35KBLZrLfEARtXE5DbWQ7D9MjyNkS9ely+
72dmfviu+CJbKFi8GKZvDbnHGeAXWSU31sGGqNCzR4FidUTTVv4=
=lMkG
-----END PGP SIGNATURE-----

--swcmruvmsvfrdmgs--




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 1 Oct 2017 20:43:11 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Oct 01 16:43:11 2017
Received: from localhost ([127.0.0.1]:43157 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dyl4x-0005yl-BR
	for submit <at> debbugs.gnu.org; Sun, 01 Oct 2017 16:43:11 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:52655)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1dyl4v-0005yc-Lc
 for 28659 <at> debbugs.gnu.org; Sun, 01 Oct 2017 16:43:10 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id D7BAE2064D;
 Sun,  1 Oct 2017 16:43:08 -0400 (EDT)
Received: from frontend2 ([10.202.2.161])
 by compute4.internal (MEProxy); Sun, 01 Oct 2017 16:43:08 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=mesmtp; bh=2k+RVcWP0aYb2httTw25HjuBAhrdvLT5W182CD
 yvLes=; b=KNXZhCWG4Bi4tDWcAr6fxdQE5D2Kvx/AmG8c3qXWm5+UluFQOapwCq
 Y9HxzToOo4R5PoLFAD1OFORopE+beX9+a+5Dhf5bILsOosk47Np9NiByJwoj0Uep
 0BOVobwm9r9qMs2oQNCJCJ3nfO1UpTYfUnvIEKButasjjCyIru4UU=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=2k+RVcWP0aYb2httTw
 25HjuBAhrdvLT5W182CDyvLes=; b=USYoezVLrdZEkfx7DkWNfrS1YQddooiynO
 2l5e5EoErT8gaQB4+UG0A9O6oUF5215FBu5MMwAIhtwEeZTkxL8meLlxACOznQRh
 fLg5X1gMr5ZRWF2oBSqHdFsAVeoqvOt954R4UXjdxwejP3df47nHLfpMqvCcTUFf
 7ZPai++Szihazvlp4xX9yE7ikiJYX3XLfQS5mFeAS9JqfjCZWz5n1RBZcl94/gF9
 F+3ZirB/tQ7L/cJkDsQf7yUrIYFaiBTJ/SFqK+fJ6NikMR4txH6tdeNcuyGHST27
 lO9QHllf9+6broAdrS8wnBUm9U2I4kLeIqB08kjUd70ivqrjNBug==
X-ME-Sender: <xms:XFPRWWlp1bas1Onq0ZV7LzkZYPXMXLF6RMsS1PHNseYFU_Jm7M55rw>
X-Sasl-enc: rtnpa7B2o+RchyHPo/pYQ1m6Lf9VpnyfiQea5QFfeuOw 1506890588
Received: from localhost (unknown [172.58.201.79])
 by mail.messagingengine.com (Postfix) with ESMTPA id 88D172489C;
 Sun,  1 Oct 2017 16:43:08 -0400 (EDT)
Date: Sun, 1 Oct 2017 16:42:37 -0400
From: Leo Famulari <leo@HIDDEN>
To: Jan Nieuwenhuizen <janneke@HIDDEN>
Subject: Re: bug#28659: v0.13: guix pull fails; libgit2-0.26.0 and 0.25.1
 content hashes fail
Message-ID: <20171001204237.GA11804@HIDDEN>
References: <877ewf18d4.fsf@HIDDEN>
 <87wp4e8yk5.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="wRRV7LY7NUeQGEoC"
Content-Disposition: inline
In-Reply-To: <87wp4e8yk5.fsf@HIDDEN>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 28659
Cc: 28659 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--wRRV7LY7NUeQGEoC
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Oct 01, 2017 at 09:20:42PM +0200, Jan Nieuwenhuizen wrote:
> Jan Nieuwenhuizen writes:
>=20
> The changing of the libgit-0.26.0 checksum was already reported about 3
> weeks ago (github seems to only show relative dates)
>=20
>     https://github.com/libgit2/libgit2/issues/4343
>=20
> and the bug is still open.  It seems to be a github thing.  As I
> understand it, currently our options are to update the hash and pray it
> won't happen again or host libgit2 tarballs ourselves.

I contacted GitHub about this issue a few weeks ago and they said that:

1) They do not guarantee bit-reproducibility of the snapshots they
generate automatically for each release tag, and they wish that people
would not rely on them as we do. However, since people *are* relying on
them, they are discussing this issue internally.
2) This is the relevant code change:
https://git.kernel.org/pub/scm/git/git.git/commit/?id=3D22f0dcd9634a818a0c8=
3f23ea1a48f2d620c0546

In the meantime, we can add this to the list of reasons that
reproducibility is difficult in the long term.

I don't have any solutions in mind besides keeping substitutes available
for as long as possible and, for users, using substitutes. We might also
petition upstream projects to offer a "real" release tarball.

--wRRV7LY7NUeQGEoC
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlnRUzkACgkQJkb6MLrK
fwhr1xAA78npB7SsOoIdkY6pt3QabOHBLwUA7TuKWUphJgBMatzrRf463tO+t6/Z
roQmwZKMJ+AvstOWn/EjYNC1W8ujtlkadsAIPUgDWctAun+rHbxM9DQfTowlgX+t
DnblMcArv3BzRTaV5WQYmizBq6yUl9Tf3Su7/RWMUyfgrSkvBPR0ueNaq3hoqL7d
DuWvYSk9d0VIar6SLi+BcCXRLEHWYx4u+HzP0n4tXMp2HUlZL/3MdaDXeOTv1Kiz
mYf04jq2LlCXzYDZrFJeGrRJU94n/NOOjRZfxDmuDZQUMpOMP+3f3u9wHOigVQeP
iKmjhgaxjc5nJPDzHBkIfsVg8z9jOr6VUG5/Xs/+1dO1k77ccCjN9NEQ/TPMfnWj
WIQ/kyIAvEl4vVsPUlgn8WhrDZ0AcQGxmZz2XjHBIRlS6QGKEbdLtyx5V9JtRYLe
21iNf1KwDt2pce4YbaDyW+w8ilPLSUEKaP/2zQdBX5Svoaa1DwkXADsyoqBPXvUa
QxVzLukpfdhSqvPUyBvshvQTv9ByUuNqYHyW70Kuxe2Z1Q0ARe90+6YuuE06/yLc
bTA1mnVZt2ciK2omSVqsF+m7m8RIabPL8Ad+us0P6XfmhiYZMewd36yEbMf1+VC8
IjNGzB7Jo4wJ1BGLPglDndn3XXio8obB9iPNdQy4LyApM/2NYlE=
=fiPX
-----END PGP SIGNATURE-----

--wRRV7LY7NUeQGEoC--




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at 28659 <at> debbugs.gnu.org:


Received: (at 28659) by debbugs.gnu.org; 1 Oct 2017 19:21:10 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Oct 01 15:21:10 2017
Received: from localhost ([127.0.0.1]:43128 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dyjnV-0003ww-Q7
	for submit <at> debbugs.gnu.org; Sun, 01 Oct 2017 15:21:10 -0400
Received: from eggs.gnu.org ([208.118.235.92]:48646)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <janneke@HIDDEN>) id 1dyjnT-0003w7-VW
 for 28659 <at> debbugs.gnu.org; Sun, 01 Oct 2017 15:21:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <janneke@HIDDEN>) id 1dyjnL-0002LF-JG
 for 28659 <at> debbugs.gnu.org; Sun, 01 Oct 2017 15:20:58 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:52442)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <janneke@HIDDEN>)
 id 1dyjnA-0002BL-Lw; Sun, 01 Oct 2017 15:20:44 -0400
Received: from peder.onsbrabantnet.nl ([88.159.206.46]:47348
 helo=dundal.peder.onsbrabantnet.nl)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <janneke@HIDDEN>)
 id 1dyjnA-0004Zm-5e; Sun, 01 Oct 2017 15:20:44 -0400
From: Jan Nieuwenhuizen <janneke@HIDDEN>
To: 28659 <at> debbugs.gnu.org
Subject: Re: bug#28659: v0.13: guix pull fails;
 libgit2-0.26.0 and 0.25.1 content hashes fail
References: <877ewf18d4.fsf@HIDDEN>
Date: Sun, 01 Oct 2017 21:20:42 +0200
In-Reply-To: <877ewf18d4.fsf@HIDDEN> (Jan Nieuwenhuizen's message of "Sun, 01
 Oct 2017 12:16:07 +0200")
Message-ID: <87wp4e8yk5.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 28659
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

Jan Nieuwenhuizen writes:

The changing of the libgit-0.26.0 checksum was already reported about 3
weeks ago (github seems to only show relative dates)

    https://github.com/libgit2/libgit2/issues/4343

and the bug is still open.  It seems to be a github thing.  As I
understand it, currently our options are to update the hash and pray it
won't happen again or host libgit2 tarballs ourselves.

--=20
Jan Nieuwenhuizen <janneke@HIDDEN> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar=C2=AE http://AvatarAcademy.com




Information forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 1 Oct 2017 10:16:44 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Oct 01 06:16:44 2017
Received: from localhost ([127.0.0.1]:41774 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dybIc-0000y1-8e
	for submit <at> debbugs.gnu.org; Sun, 01 Oct 2017 06:16:44 -0400
Received: from eggs.gnu.org ([208.118.235.92]:54000)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <janneke@HIDDEN>) id 1dybIa-0000xo-1h
 for submit <at> debbugs.gnu.org; Sun, 01 Oct 2017 06:16:36 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <janneke@HIDDEN>) id 1dybIT-0004Gy-LC
 for submit <at> debbugs.gnu.org; Sun, 01 Oct 2017 06:16:30 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:49397)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <janneke@HIDDEN>) id 1dybIT-0004Gk-HS
 for submit <at> debbugs.gnu.org; Sun, 01 Oct 2017 06:16:29 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44892)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <janneke@HIDDEN>) id 1dybIR-00024A-Rj
 for bug-guix@HIDDEN; Sun, 01 Oct 2017 06:16:29 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <janneke@HIDDEN>) id 1dybIO-0004BR-2q
 for bug-guix@HIDDEN; Sun, 01 Oct 2017 06:16:27 -0400
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:43915)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <janneke@HIDDEN>)
 id 1dybIA-00040P-FU; Sun, 01 Oct 2017 06:16:10 -0400
Received: from peder.onsbrabantnet.nl ([88.159.206.46]:44548
 helo=dundal.peder.onsbrabantnet.nl)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <janneke@HIDDEN>)
 id 1dybI9-0002hQ-Px; Sun, 01 Oct 2017 06:16:10 -0400
From: Jan Nieuwenhuizen <janneke@HIDDEN>
To: bug-guix@HIDDEN
Subject: v0.13: guix pull fails; libgit2-0.26.0 and 0.25.1 content hashes fail
Date: Sun, 01 Oct 2017 12:16:07 +0200
Message-ID: <877ewf18d4.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

Hi!

As reported by laertus on irc[0]: guix pull on 0.13 without substitutes fai=
ls

      guix pull

    Starting download of /tmp/guix-file.3r6cH0
    From https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz.=
..
     =E2=80=A6.tar.gz                                   5.7MiB/s 00:02 | 13=
.6MiB transferred
    unpacking '/gnu/store/sginfwnrcfqn1far31gmzlaffd8xlxyy-guix-latest.tar.=
gz'...

    Starting download of /gnu/store/c3npgqn9ag2ypi9bda1g779wwwlcqqrf-libgit=
2-0.25.1.tar.gz
    From https://github.com/libgit2/libgit2/archive/v0.25.1.tar.gz...
    following redirection to `https://codeload.github.com/libgit2/libgit2/t=
ar.gz/v0.25.1'...
     v0.25.1                                     6.1MiB/s 00:01 | 4.1MiB tr=
ansferred
    output path `/gnu/store/c3npgqn9ag2ypi9bda1g779wwwlcqqrf-libgit2-0.25.1=
.tar.gz' should have sha256 hash `1cdwcw38frc1wf28x5ppddazv9hywc718j92f3xa3=
ybzzycyds3s', instead has `0ywcxw1mwd56c8qc14hbx31bf198gxck3nja3laxyglv7l57=
qp26'
    cannot build derivation `/gnu/store/z1ky970mnamnbairnpyxxb72qnc485zq-li=
bgit2-0.25.1.drv': 1 dependencies couldn't be built
    cannot build derivation `/gnu/store/rl7ms8rmbywvydy4qf656g1sdfxafb7r-gu=
ile-git-0.0-2.06f9fc3.drv': 1 dependencies couldn't be built
    guix pull: error: build failed: build of `/gnu/store/rl7ms8rmbywvydy4qf=
656g1sdfxafb7r-guile-git-0.0-2.06f9fc3.drv' failed

because the libgit2-0.25.1 content hash does not check out.

I verified this on version-0.13.  The same goes for 0.26.0 on master

    $ guix build -S libgit2 --no-substitutes
    The following derivations will be built:
       /gnu/store/5szrmzmfgxk6pylk5fh9bk8apj4x8axf-libgit2-0.26.0.tar.xz.drv
       /gnu/store/mgh4yjxkxfyqmc7c61vwq4vs8v837602-libgit2-0.26.0.tar.gz.drv
    @ build-started /gnu/store/mgh4yjxkxfyqmc7c61vwq4vs8v837602-libgit2-0.2=
6.0.tar.gz.drv - x86_64-linux /var/log/guix/drvs/mg//h4yjxkxfyqmc7c61vwq4vs=
8v837602-libgit2-0.26.0.tar.gz.drv.bz2

    Starting download of /gnu/store/53lj4z9cavl7n27r89zjnvyd8fk854kj-libgit=
2-0.26.0.tar.gz
    From https://github.com/libgit2/libgit2/archive/v0.26.0.tar.gz...
    following redirection to `https://codeload.github.com/libgit2/libgit2/t=
ar.gz/v0.26.0'...
     v0.26.0  4.5MiB                    3.1MiB/s 00:01 [###################=
#] 100.0%
    sha256 hash mismatch for output path `/gnu/store/53lj4z9cavl7n27r89zjnv=
yd8fk854kj-libgit2-0.26.0.tar.gz'
      expected: 1fdk9yhwvl1w1z71ykzcvgh4nsf8scxcbclz5anh98zpplmhmisa
      actual:   1b3figbhp5l83vd37vq6j2narrq4yl9pfw6mw0px0dzb1hz3jqka
    @ build-failed /gnu/store/mgh4yjxkxfyqmc7c61vwq4vs8v837602-libgit2-0.26=
.0.tar.gz.drv - 1 sha256 hash mismatch for output path `/gnu/store/53lj4z9c=
avl7n27r89zjnvyd8fk854kj-libgit2-0.26.0.tar.gz'
      expected: 1fdk9yhwvl1w1z71ykzcvgh4nsf8scxcbclz5anh98zpplmhmisa
      actual:   1b3figbhp5l83vd37vq6j2narrq4yl9pfw6mw0px0dzb1hz3jqka
    cannot build derivation `/gnu/store/5szrmzmfgxk6pylk5fh9bk8apj4x8axf-li=
bgit2-0.26.0.tar.xz.drv': 1 dependencies couldn't be built
    guix build: error: build failed: build of `/gnu/store/5szrmzmfgxk6pylk5=
fh9bk8apj4x8axf-libgit2-0.26.0.tar.xz.drv' failed

I found no apparent difference in the content

    -r--r--r-- 1 janneke janneke  4252130 Oct  1 09:08 c3npgqn9ag2ypi9bda1g=
779wwwlcqqrf-libgit2-0.25.1.tar.gz
    -rw-r--r-- 1 janneke janneke  4252139 Oct  1 09:09 NEW-c3npgqn9ag2ypi9b=
da1g779wwwlcqqrf-libgit2-0.25.1.tar.gz
    -rw-r--r-- 1 janneke janneke 16363520 Oct  1 09:14 c3npgqn9ag2ypi9bda1g=
779wwwlcqqrf-libgit2-0.25.1.tar
    -rw-r--r-- 1 janneke janneke 16363520 Oct  1 09:14 NEW-c3npgqn9ag2ypi9b=
da1g779wwwlcqqrf-libgit2-0.25.1.tar

but there's this difference between the tar balls...

    12:13:57 janneke@dundal:~/src/guix-0.13=20
    $ cmp -l c3npgqn9ag2ypi9bda1g779wwwlcqqrf-libgit2-0.25.1.tar NEW-c3npgq=
n9ag2ypi9bda1g779wwwlcqqrf-libgit2-0.25.1.tar
    13122049   0 157
    13122050   0 162
    13122051   0 151
    13122052   0 147
    13122053   0 151
    13122054   0 156
    13122055   0  57
    13122490  57   0
    13122491 157   0
    13122492 162   0
    13122493 151   0
    13122494 147   0
    13122495 151   0
    13122496 156   0
    13270529   0 157
    13270530   0 162
    13270531   0 151
    13270532   0 147
    13270533   0 151
    13270534   0 156
    13270535   0  57
    13270972  57   0
    13270973 157   0
    13270974 162   0
    13270975 151   0
    13270976 147   0
    13270977 151   0
    13270978 156   0
    13294081   0 157
    13294082   0 162
    13294083   0 151
    13294084   0 147
    13294085   0 151
    13294086   0 156
    13294087   0  57
    13294519  57   0
    13294520 157   0
    13294521 162   0
    13294522 151   0
    13294523 147   0
    13294524 151   0
    13294525 156   0

janneke

[0] https://gnunet.org/bot/log/guix/2017-10-01#T1517584

--=20
Jan Nieuwenhuizen <janneke@HIDDEN> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar=C2=AE http://AvatarAcademy.com




Acknowledgement sent to Jan Nieuwenhuizen <janneke@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#28659; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 25 Nov 2019 12:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.