> Also, in (info "(guix) origin Reference") I see that Guix packages can have a
> list of uri(s) for the origin of source code, see xz as an example [7]:
> are they intended to be multiple independent sources to be compared in
> order to prevent possible tampering or are they "just" alternatives to
> be used if the first listed uri is unavailable?
a source origin is identified by its cryptographic hash (stored in its sha256
field); i.e. it doesn't matter *where* the source archive was acquired from. if
the hash matches the one in the package definition, then it's the same archive
that the guix packager has seen while packaging.
--
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“We’ll know our disinformation program is complete when everything the American
public believes is false.”
— William Casey (1913–1987), the director of CIA 1981-1987
