On Tue, Feb 21, 2017 at 09:56:29PM +0000, ng0 wrote: > On 17-02-21 22:25:35, Catonano wrote: > Please avoid doing the way described below though. Calculating it in > advance is more secure and helps to prevent introducing errors. If > there's a mismatch it shows an error. > > > Another option is to try to build the package with the wrong hash, wait for > > the error message and copy the right hash from within the error message > > itself. Lame, but hey
I agree with ng0. We should not do this when creating Guix packages. The guix download code has a relatively rare "network signature" when compared to things like a web browser or wget. Someone could serve a different file when they detect use of the Guix download tool, and if this makes it into a package definition, all of our users would end up with the wrong software.
