On Mon, Oct 02, 2017 at 10:00:33PM +0200, Ludovic Courtès wrote: > Right. Jan suggested checking the content-addressed mirrors *before* > the real upstream address. That would address the problem of upstream > sources modified in-place, but at the cost of privacy/self-sufficiency > as you note. (Though it’s not really making “privacy” any worse in this > case: it’s gnu.org vs. github.com.)
Yeah, I don't personally think there is a privacy issue with fetching sources from our mirrors at gnu.org, or other domains we control. > Perhaps we should make content-addressed mirrors configurable in a way > that’s orthogonal to derivations, something similar in spirit to > --substitute-urls? The difficulty is that content-addressed mirrors are > not just URLs; see (guix download). > > Thoughts? I do think we should make it so that users don't suffer from unreliable upstream sources when we know the sources are available on our servers (or the Nix mirror), even with --no-substitutes.
signature.asc
Description: PGP signature
