Hi Juliana,
I’ve observed some similar weirdness in the past when I’ve updated
versions. I believe what’s happening is that Guix uses the hash
to look up the file in a content-addressed store (either the local
store or SWH), and is lacking verification that the retrieved
object is the expected one.
— Ian
Juliana Sims <j...@incana.org> writes:
Hey folks,
I tried to update magic-wormhole today and things went super
smoothly.
All I had to do was change the version number.
I didn't even have to change the source hash.
If that strikes you as odd, good! It should!
To cover all my bases, I pk'd the hash produced by `pypi-uri`
and used
`guix download` to try to fetch the same file and check its
hash, only
to find that `guix download` couldn't find anything at that URL
or its
fallbacks.
To test if things were being exceptionally weird, I switched to
pulling and building from git, and the build failed, expectedly,
probably because one of the dependencies
(magic-wormhole-transit-relay) was not the right version, which
was
what I had initially expected to happen.
Does anyone know what might be going on here? Given the
intended
secure nature of this program, I'm concerned there may be
something
malicious happening somewhere along the way. I would love an
explanation that quiets that concern.
You can look at the current magic-wormhole package source and
play
around with it yourself to see what I'm talking about.
Best,
Juli
PS I was trying to update all three packages in
magic-wormhole.scm,
but the transit relay in particular requires later versions of
twisted
and autobahn than the other two, which is minorly annoying. I
know
twisted can't be updated without rebuilding a bunch of stuff, so
I
don't plan to pursue this further for the time being.
