Ludovic Courtès <[email protected]> writes: > Hello Guix! > > During the Guix Days session about bootstrapping¹, I suggested that we > finally bite the bullet and avoid building from tarballs that contain > pre-built binaries—typically autotools-generated files, Info files, > sometimes HTML or PDF files.
One concern came up in gnulib discussions about load on git servers: https://mail.gnu.org/archive/html/bug-gnulib/2026-03/msg00037.html I think Guix generally prefers mirrors, but I wonder if this could be clarified or improved explicitly related to a tarball->git change? I think there should be some Guix policy on this, to avoid hammering upstream git servers. Would it make sense to have a policy to prefer git checkouts from SWH? Thoughts? It is an added feature if Guix had some policy to REQUIRE that source code is also available on some third-party long-term archival site, since this makes it harder to introduce deniable corruption through a git server compromise. SHA1 is broken, and Git-SHA256 rarely used, so this could matter. /Simon
signature.asc
Description: PGP signature
