On 25/05/16 10:23, Alex Sassmannshausen wrote: >> The first, is that the hash is required, which I only had to compute >> once, but if I wanted to change the package, I would have to update >> this, which is prohibitive to local development. As an improvement to >> this, could the hash be optional, and if it does not exist, be >> calculated when the build is performed? > > From my perspective, I think silently calculating a hash on the fly if > it is not provided would be problematic: it might lead to laziness in > completing the hash, which would undermine the security model of Guix > (if I understand correctly). > > But maybe an explicit flag setting the declaration to "dev-mode", might > be useful?
In the use case I described, where you are packaging a local resource, I don't think this is relevant, as you implicitly trust your own machine. If you don't for some reason, you can just specify the hash.
signature.asc
Description: OpenPGP digital signature
