Hello, Simon Josefsson <[email protected]> skribis:
> One concern came up in gnulib discussions about load on git servers: > > https://mail.gnu.org/archive/html/bug-gnulib/2026-03/msg00037.html > > I think Guix generally prefers mirrors, but I wonder if this could be > clarified or improved explicitly related to a tarball->git change? I think it should be fine: checkouts, like all other derivation outputs, are cached and served by the build farms, ci.guix and bordeaux.guix. So upstream Git servers are hit when a contributor makes the initial package or package update and when the build farms attempt to build it for the first time, but after that it’s okay. WDYT? > It is an added feature if Guix had some policy to REQUIRE that source > code is also available on some third-party long-term archival site, > since this makes it harder to introduce deniable corruption through a > git server compromise. SHA1 is broken, and Git-SHA256 rarely used, so > this could matter. Yup! Ludo’.
