Leo Famulari skribis: > On Mon, Oct 02, 2017 at 05:09:39PM +0200, Ludovic Courtès wrote: >> What’s sad here is that we do have the right tarball at: >> >> https://mirror.hydra.gnu.org/file/libgit2-0.25.1.tar.gz/sha256/1cdwcw38frc1wf28x5ppddazv9hywc718j92f3xa3ybzzycyds3s Just to be clear: this URL is not that of a substitute, but that of a content-addressed file (corresponding to the output of a fixed-output derivation.) > It seems to me that there are several reasons someone may choose not to > use substitutes. Some of those reasons (reproducibility and security > concerns) are obviated for fixed-output derivations like upstream > sources, and I think it would be fine to still use substitutes for these > derivations. > > But the motivations of privacy, self-sufficiency, etc are not addressed > by that idea. Right. Jan suggested checking the content-addressed mirrors *before* the real upstream address. That would address the problem of upstream sources modified in-place, but at the cost of privacy/self-sufficiency as you note. (Though it’s not really making “privacy” any worse in this case: it’s gnu.org vs. github.com.) Perhaps we should make content-addressed mirrors configurable in a way that’s orthogonal to derivations, something similar in spirit to --substitute-urls? The difficulty is that content-addressed mirrors are not just URLs; see (guix download). Thoughts? Ludo’.