guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Downloader for "wrapped" tarbar?

From: zimoun
Subject: Re: Downloader for "wrapped" tarbar?
Date: Sat, 6 Jun 2020 19:26:38 +0200 
Dear Hartmut,

On Sat, 6 Jun 2020 at 17:29, Hartmut Goebel
<h.goebel@crazy-compilers.com> wrote:

> 2. When implementing some "wrapped-fetch" (name tdb), modeled like
> "git-fetch", there is no easy way for the user to verify the hash, as
> this is taken from the "inner" tarball. How does this work with
> substitutes, download-nar and SWH?

Today, Guix feeds SWH with only one stream "guix lint" and only for
'git-fetch' packages; if I understand well.  The origin methods for
Guix packages look like:

      1 bzr-fetch
      3 cvs-fetch
      9 url-fetch/tarbomb
     24 url-fetch/zipbomb
     28 hg-fetch
     30 computed-origin-method
     67 no-origin
    115 svn-fetch
    135 svn-multi-fetch
   3574 git-fetch
   9690 url-fetch

where 'svn-multi-fetch' are mainly CTAN/TeX packages.  Well, as you
see, most of the packages are not yet archived in SWH. Since SWH
supports 'svn-fetch' and 'hg-fetch', it is doable to add them to "guix
lint" but it is low-priority -- at least on my TODO. :-)

The SWH-side WIP is about 'url-fetch'.  I have not followed all the
recent developments by lewo but roughly speaking they are implementing
another "lister" [2,3,4] for tarballs.  Well, the final aim is that
SWH automatically ingests https://guix.gnu.org/sources.json which is
automatically generated every X minutes.  Currently, the compliance of
this 'sources.json' is still a WIP; the format is changing and the
specification not yet fixed.

What SWH archives is the upstream source, i.e., *not* "guix build -S"
but what comes from 'origin'.  What happens after and what Guix does
not matter for SWH.

Therefore, if I understand correctly, SWH will archive the initial
tarball.  (Sorry, I am lost with the "inner/outer" terminology.)  Note
that only the package tarball you pointed [5] needs to be checksummed,
well if this initial package tarball matches then 'contents.tar.gz'
will match too, isn't it?

I hope to not have misread and missed something.


All the best,
simon

[1] https://archive.softwareheritage.org/save/
[2] https://docs.softwareheritage.org/devel/swh-lister/index.html
[3] https://forge.softwareheritage.org/D2025
[4] https://forge.softwareheritage.org/T1991
[5] https://github.com/hexpm/specifications/blob/master/package_tarball.md
reply via email to
[Prev in Thread] Current Thread [Next in Thread]