lör 2026-03-07 klockan 11:46 +0100 skrev Tomas Volf: > Simon Josefsson via "Development of GNU Guix and the GNU System > distribution." <[email protected]> writes: > > > It is an added feature if Guix had some policy to REQUIRE that > > source > > code is also available on some third-party long-term archival site, > > since this makes it harder to introduce deniable corruption through > > a > > git server compromise. SHA1 is broken, and Git-SHA256 rarely used, > > so > > this could matter. > > I think this is bit problematic unless we reach a deal with *some* > archive that would guarantee archival for our needs.
Couldn't that be done on a per-package level? As part of a version upgrade, the maintainer tries to get the new version mirrored by one of a set of "blessed" stable sites, and then use that site as the primary mirror URL in the Guix package definition. Just an idea. > A single > data-point, I tried to archive few of my packages to SWH, it is about > a > week, and they still are not archived. So this requirement seems > problematic unless we provide an actually working way to do the > archival. Yeah, that seems annoying. However savannah, codeberg, etc are also unavailable at a problematic level, so there is probably no way to really avoid this annoyance. We can make it less annoying though. /Simon
signature.asc
Description: This is a digitally signed message part
