<EternalZenith>Looking at arch PKGBUILDs for reference, very few seem to actually check the hashes of the downloaded files
<EternalZenith>That's bitten me several times, where a page fails to load, and instead of a package being installed, you get odd things
<EternalZenith>E.g., the source for a package on the AUR came from a website that was blocked on the network I was using, and somehow the install continued and made my system unable to start graphically untill I manually deleted all the corrupted files and reinstalled later at home
<EternalZenith>The users aren't usually building it though; it's being built locally, tested, and then pushed to users through one of the mirrors
<EternalZenith>Even still, that issue pops back up if you want to build it locally or for any of the frighteningly many of the 50k AUR packages that have this same issue
<lfam>Yeah, and also the Arch maintainers will not be immune either
<lfam>Although Guix is designed to require a source hash, we should be watchful that we don't have similar problems due to mistakes and other oversights
<lfam>Most of the big distros have discovered critical package authentication bugs in the past years
<lfam>Typically to the point where they might as well have not bothered signing the packages
<lfam>So, I think it demonstrates that these kinds of implementation or design mistakes are really easy to make
<EternalZenith>I used to think that my laptop was a bulwark of security with its fancy aes-xts-512 block device encryption, a hardened kernel, limited nonfree firmware, a nice firewall, and sandboxing, among other things
<EternalZenith>I'm now coming to see that such a sense of security is a big illusion
<lfam>I agree, computing is still in its infancy as a human endeavour, and we understand it very poorly
<EternalZenith>Guix and its philosophies seem like a step in the right direction
<EternalZenith>So, hydra.gnu.org is the current source of official substitutes based on Nix's Hydra, and berlin.guix.info is the future one based on Guix's Curaiss?
<lfam>EternalZenith: That's right, although you could consider them both "official" in the sense that they are both maintained by Guix developers and we distribute their signing keys in the Guix source code
<lfam>Also, I *think* the canonical URL for berlin is <berlin.guixsd.org>, but not sure. rekado is the main person behind that system
<lfam>That's how the signing key is named, anyways, so it must be the preferred URL :)
<g_bor>I'm trying to get a 0.11.0 guixsd up to date.
<g_bor>I'm a bit stuck, istm that there is some problem with a guile-git depedency, it is redirected to a github sign-in page.
<civodul>g_bor: i'm afraid this is going to be difficult :-/
<civodul>main reason is that 0.11 provided a rudimentary 'guix pull' that did not produce a standalone Guix
<civodul>what you could do is 'guix copy' a full Guix from another machine
<amz3>I just installed guix in fresh VM and I am trying to build guix from git. I did 'guix pull && guix package -u' and 'guix environement guix' and then running ./configure tells me: configure: error: Guile-Gcrypt could not be found; please install it.
<amz3>(I solved my problem with apparmor and sent a mail the mailling list about a solution)
<civodul>amz3: i think you need to install Guile-Gcrypt ;-)
<civodul>well ok, 'guix environment guix' should provide it if you did 'guix pull' before
<deadman007>hi, does any configuration for lxqt desktop on guixsd ?
<nico202>can someone help me in sending a patch? I sent it using git format patch + git send-email, I tried sending it to myself and it worked, but sending it to firstname.lastname@example.org does not seems to work..
<roptat>nico202: if that's the first time you send an email to that list, it might take some time before it is accepted
<lfam>libssh: By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.
<EternalZenith>'guix weather' isn't working for me; it just returns "guix weather: error: build failed: derivation `/gnu/store/ad97mln4w2rg474dyy694mnq38rhdir4-git-checkout.drv' has incorrect output `/gnu/store/7ygy97wz9d1zcbz3k2kg1ga9g389bd7b-git-checkout', should be `/gnu/store/2669wx1lhr57nh0f2f5cdfvmhl7nxx8v-git-checkout'"