W. Knight <[email protected]> writes: > On Sun, 28 Dec 2025 09:21:10 +0100, Rutherther <[email protected]> wrote: > > … > Simon Josefsson <[email protected]> writes: >> Rutherther <[email protected]> writes: >> >>> Installation script: https://guix.gnu.org/guix-install.sh >> ... >>> All of these files have are signed at <link>.sig. They are all signed by >>> Rutherther, you can get his public key from [1], then import it using >>> “gpg --import”. >> ... >>> • SHA256 hashes >> >> The guix-install.sh script does not seem to have a *.sig file, nor is it >> included in the SHA256 hash list. > > That is true. That is because the script tracks master of the Guix > repository and we cannot be sure no one will change it in the following > days. So we cannot include it in the SHA256 hash list as it is not > 'part' of the release by itself. It having different hash afterwards is > not a bug and it would be confusing to users if it was included in the > list and changed. Generally the install script is improved even after > the release, while parts of it are tied to the tarball, large part of it > isn't.
This is interesting, but I admit I am unsure whether it is a good idea. If you want to install say Guix 1.4.0, do you not want to get the install script for that version? Or rather, to ask the obvious question, is there an expectation (and testing) to keep the script working with all Guix versions? Or just the latest? Would it not make more sense to have the install script be part of the release? Tomas -- There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors.
signature.asc
Description: PGP signature
