<mark_weaver>still, I think there is a tremendous benefit to us providing secure hashes, even in those cases.
<mark_weaver>it ensures that everyone is getting the same source tarball
<mark_weaver>and thus if some of them look at the source code, or observe the behavior of the package, their observations will be valid for all the other people using guix.
<mark_weaver>it also means that mitm attacks are much more likely to be detected by someone, unless *everyone* is affected by the same mitm.
<mark_weaver>already, we've detected a few cases where upstream changed a tarball without incrementing the version number.
<mark_weaver>however, having said all this, I do agree that we need to convince upstreams to keep better security habits, and to sign everything with a key that is at least somewhat connected to a well-established web-of-trust.
<civodul>jmd: probably because you modified pixman, yes
<jmd>Achhh! This pangox vs. gtkglext business is an abomination.
<jmd>Is it possible to specify a git revision as a download source ?
<civodul>in general we avoid packaging unreleased software
<civodul>and there's currently no way to specify a git repo + rev
<jmd>guix build: error: build failed: derivation `/nix/store/0hm3an385mmaxplkn3x7h59ayd4vx0w8-2.90.8.tar.bz2.drv' has incorrect output `/nix/store/1v671k6rpy96a6zq42b4mi6s3nhr7ar8-2.90.8.tar.bz2', should be `/nix/store/5xq51x6sym0952s63pi98h7ni01bm3f4-2.90.8.tar.bz2'