GNU bug report logs

#28659 Content-addressed mirror is not used upon invalid hash

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #14 received at 28659@debbugs.gnu.org (full text, mbox, reply):

Received: (at 28659) by debbugs.gnu.org; 1 Oct 2017 21:05:50 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 01 17:05:50 2017
Received: from localhost ([127.0.0.1]:43164 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dylQp-0006X9-9T
	for submit@debbugs.gnu.org; Sun, 01 Oct 2017 17:05:50 -0400
Received: from aibo.runbox.com ([91.220.196.211]:36830)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ng0@infotropique.org>) id 1dylQn-0006X1-8I
 for 28659@debbugs.gnu.org; Sun, 01 Oct 2017 17:05:45 -0400
Received: from [10.9.9.210] (helo=mailfront10.runbox.com)
 by mailtransmit02.runbox with esmtp (Exim 4.86_2)
 (envelope-from <ng0@infotropique.org>)
 id 1dylQj-0007kf-A2; Sun, 01 Oct 2017 23:05:41 +0200
Received: from tor-exit-4.all.de ([212.21.66.6] helo=localhost)
 by mailfront10.runbox.com with esmtpsa (uid:892961 )
 (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82)
 id 1dylQb-0001Tr-OA; Sun, 01 Oct 2017 23:05:34 +0200
Date: Sun, 1 Oct 2017 21:05:27 +0000
From: ng0 <ng0@infotropique.org>
To: Leo Famulari <leo@famulari.name>
Subject: Re: bug#28659: v0.13: guix pull fails; libgit2-0.26.0 and 0.25.1
 content hashes fail
Message-ID: <20171001210527.ym24ubylu7mh5huv@abyayala>
References: <877ewf18d4.fsf@gnu.org> <87wp4e8yk5.fsf@gnu.org>
 <20171001204237.GA11804@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="swcmruvmsvfrdmgs"
Content-Disposition: inline
In-Reply-To: <20171001204237.GA11804@jasmine.lan>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 28659
Cc: 28659@debbugs.gnu.org, Jan Nieuwenhuizen <janneke@gnu.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

[Message part 1 (text/plain, inline)]
Leo Famulari transcribed 2.3K bytes:
> On Sun, Oct 01, 2017 at 09:20:42PM +0200, Jan Nieuwenhuizen wrote:
> > Jan Nieuwenhuizen writes:
> > 
> > The changing of the libgit-0.26.0 checksum was already reported about 3
> > weeks ago (github seems to only show relative dates)
> > 
> >     https://github.com/libgit2/libgit2/issues/4343
> > 
> > and the bug is still open.  It seems to be a github thing.  As I
> > understand it, currently our options are to update the hash and pray it
> > won't happen again or host libgit2 tarballs ourselves.
> 
> I contacted GitHub about this issue a few weeks ago and they said that:
> 
> 1) They do not guarantee bit-reproducibility of the snapshots they
> generate automatically for each release tag, and they wish that people
> would not rely on them as we do. However, since people *are* relying on
> them, they are discussing this issue internally.
> 2) This is the relevant code change:
> https://git.kernel.org/pub/scm/git/git.git/commit/?id=22f0dcd9634a818a0c83f23ea1a48f2d620c0546
> 
> In the meantime, we can add this to the list of reasons that
> reproducibility is difficult in the long term.
> 
> I don't have any solutions in mind besides keeping substitutes available
> for as long as possible and, for users, using substitutes. We might also
> petition upstream projects to offer a "real" release tarball.

Given that we depend on this for our core functionality,
can't we just keep this on our ftp directory at gnu.org
as a fall-back source in a list?

-- 
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://krosos.org/dist/keys/
https://www.infotropique.org https://krosos.org

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Mon Sep 8 01:21:22 2025; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.