From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 01 17:05:50 2017 Received: (at 28659) by debbugs.gnu.org; 1 Oct 2017 21:05:50 +0000 Received: from localhost ([127.0.0.1]:43164 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dylQp-0006X9-9T for submit@debbugs.gnu.org; Sun, 01 Oct 2017 17:05:50 -0400 Received: from aibo.runbox.com ([91.220.196.211]:36830) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dylQn-0006X1-8I for 28659@debbugs.gnu.org; Sun, 01 Oct 2017 17:05:45 -0400 Received: from [10.9.9.210] (helo=mailfront10.runbox.com) by mailtransmit02.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1dylQj-0007kf-A2; Sun, 01 Oct 2017 23:05:41 +0200 Received: from tor-exit-4.all.de ([212.21.66.6] helo=localhost) by mailfront10.runbox.com with esmtpsa (uid:892961 ) (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) id 1dylQb-0001Tr-OA; Sun, 01 Oct 2017 23:05:34 +0200 Date: Sun, 1 Oct 2017 21:05:27 +0000 From: ng0 To: Leo Famulari Subject: Re: bug#28659: v0.13: guix pull fails; libgit2-0.26.0 and 0.25.1 content hashes fail Message-ID: <20171001210527.ym24ubylu7mh5huv@abyayala> References: <877ewf18d4.fsf@gnu.org> <87wp4e8yk5.fsf@gnu.org> <20171001204237.GA11804@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="swcmruvmsvfrdmgs" Content-Disposition: inline In-Reply-To: <20171001204237.GA11804@jasmine.lan> X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 28659 Cc: 28659@debbugs.gnu.org, Jan Nieuwenhuizen X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --swcmruvmsvfrdmgs Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Leo Famulari transcribed 2.3K bytes: > On Sun, Oct 01, 2017 at 09:20:42PM +0200, Jan Nieuwenhuizen wrote: > > Jan Nieuwenhuizen writes: > >=20 > > The changing of the libgit-0.26.0 checksum was already reported about 3 > > weeks ago (github seems to only show relative dates) > >=20 > > https://github.com/libgit2/libgit2/issues/4343 > >=20 > > and the bug is still open. It seems to be a github thing. As I > > understand it, currently our options are to update the hash and pray it > > won't happen again or host libgit2 tarballs ourselves. >=20 > I contacted GitHub about this issue a few weeks ago and they said that: >=20 > 1) They do not guarantee bit-reproducibility of the snapshots they > generate automatically for each release tag, and they wish that people > would not rely on them as we do. However, since people *are* relying on > them, they are discussing this issue internally. > 2) This is the relevant code change: > https://git.kernel.org/pub/scm/git/git.git/commit/?id=3D22f0dcd9634a818a0= c83f23ea1a48f2d620c0546 >=20 > In the meantime, we can add this to the list of reasons that > reproducibility is difficult in the long term. >=20 > I don't have any solutions in mind besides keeping substitutes available > for as long as possible and, for users, using substitutes. We might also > petition upstream projects to offer a "real" release tarball. Given that we depend on this for our core functionality, can't we just keep this on our ftp directory at gnu.org as a fall-back source in a list? --=20 ng0 GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 GnuPG: https://krosos.org/dist/keys/ https://www.infotropique.org https://krosos.org --swcmruvmsvfrdmgs Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlnRWJcACgkQ4i+bv+40 hYjWWw//Zx+EuYTMEF/nA1o+WwMFjKsZo/kL6zfNektqIsLJSbGkYCUIrAn3Jkur bL4FJxj4BMxkNHtkkVkUyhYVMalORoJaL0cAr6d/JQkzZswJHkjkzloIgbSdvRpz PR2u7gIu9DKqs5fE8fbBTYfrm/VwIgmxoZS5Wb8zt/iC5+yZ3+D3PxiU1ujFMtY9 POivSdWH68KsZBw31dQuEoBINWVhwVc2csRloyHjngsxew983usD25rfJJadR1qP Jm/yjOUmYqqrAfQr0LbHXs+C4Nfj8GL+c05JwgNEC/+6yaCc/Dp0Fa7QyOPbepCI 8hY2XOmTP6AjdQH7WCBwOh/7ZILlhENvOEs6CyW6qeRZgBze/0pvV/lXwbGhbGzF tqjS/SVieTuaPmQwdLZ2KvKh49bVWVsa56KM2uK0uOl8hobShBHy5VnbHgtgTmea eVqz1HKKDyjTg+Uzk++jKs7CwYA25BLD8mHqD1Hyg4UAIQtmM1KPmOhPsUuvt7x2 dKmSJiAZlaBTML+uoQ+Yt7Dg/GvM5HDrY6iOVwHvkCbUGuwrArxHXFFBLZ84DkWH c86aCebP9wUqEJvogDEvq4XPBVDyLu35KBLZrLfEARtXE5DbWQ7D9MjyNkS9ely+ 72dmfviu+CJbKFi8GKZvDbnHGeAXWSU31sGGqNCzR4FidUTTVv4= =lMkG -----END PGP SIGNATURE----- --swcmruvmsvfrdmgs--