Ludovic Courtès (2015-10-07 15:23 +0300) wrote: > Alex Kost <[email protected]> skribis: > [...] >> I don't see a problem here, since a fake sha256 may be any string, > > Not really, since ‘base32’ is a macro that checks its argument at > expansion time. So in practice one cannot C-M-x a package with a random > base32 string.
Ah, indeed, it can't be any string, but it can be an empty string (perhaps it's a bug in ‘base32’?) >> for example "" (an empty string). Also I believe people begin to >> write a new package from some template, so you have a working skeleton >> of future package with all required fields from the very beginning. >> Then after filling an origin 'uri', you could "C-c . s" to download >> the source and get its hash. > > Hmm. I’m skeptical. :-) Sorry, I didn't get it. Skeptical that people start from a template? Or that one can download a source after filling an origin 'uri'? If the latter, I definitely did it. > What about, instead, providing an interactive function that would prompt > for a URL, run ‘guix download’ on that, and emit an ‘origin’ template at > point with all the info? I see several problems here, but the main is: this sounds like it should be synchronous: you give an URL, wait until the source is downloaded and finally get the template at point. But downloading can take a VERY long time, so I don't think it will be a usable command. >> Oh, now I see what you mean. Well, I don't know, I think if a user has >> a habbit to check a signature, he will check it anyway; and if not, then >> not. Besides, at first a packager needs to find an URL of the source >> tarball, so he will meet a signature anyway, if it exists. So it's up >> to him if he checks it or not. > > (Him or her.) Yes, I just always say/write "he", "him", etc. > I think we really want to give packagers a strong incentive to check > signatures. Tools should make it easy to do that. OK, I understand. -- Alex
