Stale bootstrap/*/guile-2.0.9.tar.xz files are not detected

> I just realized that my x86_64 and Loongson 3A systems have spent an

> enormous amount of time building the new guix master branch based on

> outdated bootstrap/*/guile-2.0.9.tar.xz.

> I just realized that my x86_64 and Loongson 3A systems have spent an

> enormous amount of time building the new guix master branch based on

> outdated bootstrap/*/guile-2.0.9.tar.xz.

>

> The issue is that if you simply "git pull" from a build directory with

> older versions of bootstrap/*/guile-2.0.9.tar.xz, although the various

> places where the hashes are stored are updated, those new hashes are

> never checked against the existing files. Therefore, you can proceed to

> build an entire system based on an outdated bootstrap guile, and with

> hashes that don't match what's on hydra and what other people are

> building.

> Mark H Weaver <mhw@netris.org> skribis:

>

>> I just realized that my x86_64 and Loongson 3A systems have spent an

>> enormous amount of time building the new guix master branch based on

>> outdated bootstrap/*/guile-2.0.9.tar.xz.

>>

>> The issue is that if you simply "git pull" from a build directory with

>> older versions of bootstrap/*/guile-2.0.9.tar.xz, although the various

>> places where the hashes are stored are updated, those new hashes are

>> never checked against the existing files. Therefore, you can proceed to

>> build an entire system based on an outdated bootstrap guile, and with

>> hashes that don't match what's on hydra and what other people are

>> building.

>

> Right, ‘guix pull’ doesn’t survive updates of the bootstrap Guile

> tarballs, because it doesn’t try to download it (see ‘build-guix’ in

> guix/build/pull.scm.) That’s rare in practice, but still a serious

> limitation as you note. :-/

> There are other things to do in ‘guix pull’, such as authentication, and

> improved bandwidth usage. For the latter an option would be to resort

> to git, and perhaps for the former too.

> ludo@gnu.org (Ludovic Courtès) writes:

>

>> Mark H Weaver <mhw@netris.org> skribis:

>>

>>> I just realized that my x86_64 and Loongson 3A systems have spent an

>>> enormous amount of time building the new guix master branch based on

>>> outdated bootstrap/*/guile-2.0.9.tar.xz.

>>>

>>> The issue is that if you simply "git pull" from a build directory with

>>> older versions of bootstrap/*/guile-2.0.9.tar.xz, although the various

>>> places where the hashes are stored are updated, those new hashes are

>>> never checked against the existing files. Therefore, you can proceed to

>>> build an entire system based on an outdated bootstrap guile, and with

>>> hashes that don't match what's on hydra and what other people are

>>> building.

>>

>> Right, ‘guix pull’ doesn’t survive updates of the bootstrap Guile

>> tarballs, because it doesn’t try to download it (see ‘build-guix’ in

>> guix/build/pull.scm.) That’s rare in practice, but still a serious

>> limitation as you note. :-/

>

> Hmm, yes, I suppose that "guix pull" is more relevant for typical users,

> but actually that's not what I was talking about above. I was talking

> about "git pull" followed by "make".