Hi Guixers,
Today Bonface mentioned to me that I should be cloning my packages and verifying the hashes with `git hash-object` or `git hash` iirc? Do others do this when packaging? My workflow currently is the lazy way: 1. I change the version in the package definition. 2. build the package 3. package blows up on stdout 4. I retrieve the hash and add it 5. profit! But how can I trust that computed hash? wdyt Am I committing a newbie sin with the above workflow? I know `guix refresh` exists but sometimes it is slowwww (e.g. outdated *.go) I know `make go-clean` exists but sometimes it breaks things in my tree... Should I stop worrying and just `git send-email --to="guix-patc...@gnu.org" -1`? all best, jgart
