[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Packaging packages with GPG signed source archives
|
From: |
ng0 |
|
Subject: |
Re: Packaging packages with GPG signed source archives |
|
Date: |
Fri, 02 Sep 2016 12:46:41 +0000 |
Ludovic Courtès <address@hidden> writes:
> ng0 <address@hidden> skribis:
>
>> Ludovic Courtès <address@hidden> writes:
>>
>>> Hi,
>>>
>>> ng0 <address@hidden> skribis:
>>>
>>>> On the subject of git repos, I do not understand enough of the
>>>> git-download.scm at the moment to add this myself, but why don't we have
>>>> git-fsck in it as default?
>>>
>>> Dunno; what would it add?
>>>
>>> Ludo’.
>>
>> I don't understand enough of it, I only know someone else added it to
>> some project I contribute to.
>
> Guix ‘origin’ forms store the expected SHA256 of the checkout. So
> everytime we do a Git checkout, guix-daemon explicitly makes sure the
> the checkout contents match the given SHA256. IOW, we already have
> integrity checks built in Guix. For this reason, I think ‘git fsck’
> wouldn’t provide any additional guarantee.
>
> Hope this makes sense!
>
> Ludo’.
I agree
…and wonder if I run into equal problems once I have done the guix
publish/pull/package via gnunet-fs as Nix is discussing for the
distributed system they are discussing to move to, where their problem
is that they need to convert all the hashes for when they'll move all
the sources into that network. I'll see when I get there.
--
ng0
For non-prism friendly talk find me on http://www.psyced.org