[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How do I verify my hashes?
From: |
Vagrant Cascadian |
Subject: |
Re: How do I verify my hashes? |
Date: |
Sat, 09 Jul 2022 21:13:08 -0700 |
On 2022-07-09, jgart@dismail.de wrote:
> Today Bonface mentioned to me that I should be cloning my packages and
> verifying the hashes with `git hash-object` or `git hash` iirc?
probably "guix hash"
> Do others do this when packaging?
>
> My workflow currently is the lazy way:
>
> 1. I change the version in the package definition.
>
> 2. build the package
>
> 3. package blows up on stdout
>
> 4. I retrieve the hash and add it
>
> 5. profit!
Profit, for whom? Whoever injected the cryptocurrency malware? :P
My workflow for git-based things is typically:
1. git clone https://example.org/someproject.git && cd someproject
2. git co -b VERSION-local VERSION
3. git diff OLDVERSION..NEWVERSION
4. git clean -dfx # make sure the working tree is totally clean
5. guix hash -rx .
Step 3, even if I don't completely understand the code, I can at least
check for (problematic) license changes or maybe something "obviously"
wrong.
Similar steps for tarballs-based projects, though you may need to unpack
and/or diffoscope the sources for step 3.
I don't have a good idea how to verify pypi or similar origins... but
you could at least double-check the sources of the old and new versions
with something like:
1. guix build --source # before you update the hash
2. update version, build, get new hash, update hash ...
3. guix build --source # after updating the hash
4. diffoscope OLDSOURCE NEWSOURCE
And do a best effort check for issues...
live well,
vagrant
signature.asc
Description: PGP signature