Hey folks,
I tried to update magic-wormhole today and things went super smoothly.
All I had to do was change the version number.
I didn't even have to change the source hash.
If that strikes you as odd, good! It should!
To cover all my bases, I pk'd the hash produced by `pypi-uri` and used
`guix download` to try to fetch the same file and check its hash, only
to find that `guix download` couldn't find anything at that URL or its
fallbacks.
To test if things were being exceptionally weird, I switched to pulling
and building from git, and the build failed, expectedly, probably
because one of the dependencies (magic-wormhole-transit-relay) was not
the right version, which was what I had initially expected to happen.
Does anyone know what might be going on here? Given the intended
secure nature of this program, I'm concerned there may be something
malicious happening somewhere along the way. I would love an
explanation that quiets that concern.
You can look at the current magic-wormhole package source and play
around with it yourself to see what I'm talking about.
Best,
Juli
PS I was trying to update all three packages in magic-wormhole.scm, but
the transit relay in particular requires later versions of twisted and
autobahn than the other two, which is minorly annoying. I know twisted
can't be updated without rebuilding a bunch of stuff, so I don't plan
to pursue this further for the time being.
