Past and recent discussion in our IRC channel and on the mailing list show that we can not rely on tarballs on github keeping the same hash forever. According to github they are "generated on demand", leading to regular hash mismatches.
Since some of our own dependencies are on github (at the very least guile-git), we need to come up with a solution. Right now we have around 449 packages with tarball sources from github in our gnu/packages. We could: - Move them all to use git-download and just use the commit that has been tagged in the versions that produce the tarballs on github. - Mirror the content somewhere reliable in snapshots for some time. Problem here: we start to rely on this "somewhere" to be trustworthy and introduce one more point to trust (however due to pre-recorded hash sum this is just an annoyance, not a grave issue). - Your idea here. -- ng0 GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 GnuPG: https://dist.krosos.org/dist/keys/ https://www.infotropique.org https://krosos.org
signature.asc
Description: PGP signature
