Ludovic Courtès writes: > Right. Jan suggested checking the content-addressed mirrors *before* > the real upstream address. That would address the problem of upstream > sources modified in-place, but at the cost of privacy/self-sufficiency > as you note. (Though it’s not really making “privacy” any worse in this > case: it’s gnu.org vs. github.com.) Yes, that may not preferrable in general without override. > Perhaps we should make content-addressed mirrors configurable in a way > that’s orthogonal to derivations, something similar in spirit to > --substitute-urls? The difficulty is that content-addressed mirrors are > not just URLs; see (guix download). Hmm. I'm not sure what problem we are solving. Should we only do this for github(-like) tarballs? Do we see this problem with other sources, should we prevent it? Possibly github will never do something like this again. Or we could banish github/gitlab(?) auto-generated tarballs and go for git checkouts+commits? janneke -- Jan Nieuwenhuizen | GNU LilyPond http://lilypond.org Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com