Hi! Thanks for starting this discussion!
Simon Tournier <zimon.touto...@gmail.com> skribis: > For sure, we have to fix the holes and bugs. :-) However, I am asking > what we could add for having more robustness on the long term. > > It is not affordable, neither wanted, to switch from the current > extrinsic identification to a complete intrinsic one. Although it would > fix many issues. ;-) Sources (fixed-output derivations) are already content-addressed, by definition (I prefer “content addressing” over “intrinsic identification” because that’s a more widely recognized term). In a way, like Maxime way saying, the URL/URI is just a hint; what matters it the content hash that appears in the origin. So it seems to me that the basics are already in place. What’s missing, both in SWH and in Guix, is the ability to store multiple hashes. SWH could certainly store several hashes, computed using different serialization and hash algorithm combinations. This is what you suggested at <https://gitlab.softwareheritage.org/swh/meta/-/issues/4538>; it was also discussed in the thread at <https://sympa.inria.fr/sympa/arc/swh-devel/2016-07/msg00019.html>. It would be awesome if SWH would store Nar hashes; that would solve all our problems, as you explained. The other option—storing multiple hashes for each origin in Guix—doesn’t sound practical: I can’t imagine packages storing and updating more than one content hash per package. That doesn’t sound reasonable. Plus it would be a long-term solution and wouldn’t help today. Thoughts? Ludo’.
