[bug#37466] [PATCH 2/4] gnu: Add heads.

[Julien Lepiller]

Le 20 septembre 2019 15:49:54 GMT+02:00, Danny Milosavljevic <address@hidden> a 
écrit :
>Hi Björn,
>
>On Fri, 20 Sep 2019 14:05:29 +0200
>Björn Höfling <address@hidden> wrote:
>
>> That's the non-free kernel, right?
>
>Right.
>
>> Besides that neither DNS nor Google knows that host.
>
>Hmm, you're right, but it worked for me.  Doesn't work now.
>Using "www" is probably better anyhow (and works).
>
>> In general, this long list of source-files looks a bit strange: I
>think
>> all/most of these packages are already a Guix package, where
>> the source code is (more or less) verified to be FSDG-compatible,
>> possibly with a snipped. Now this package is just getting a huge list
>of
>> unreviewed source tarballs in. Hm.
>> 
>> Could we at least somehow reference the source package from Guix?
>
>Well, heads provides an initrd and they want reproducible builds for it
>for
>security purposes--that's the main reason they build a "cross" compiler
>too:
>To have the compiler produce verifiable executables.
>
>So basically if we change the version or anything, the hashes won't
>match
>any more and any person going along their installation guide should
>abort the installation--because heads has presumably been tampered
>with.
>
>Not sure what to do about it.
>
>Maybe at least linux-libre produces bitwise identical outputs to Linux
>for what they care about.  I'll try it.

Not sure about heads, but some build systems specify the exact version of their 
dependencies, but we don't package all of them in guix. In that case, the guix 
build-system overwrites the declared hash with the actual hash of the package 
that is used instead. Can't you do something similar?