<zimoun>I would say yes for both :-) Implicit dependencies is second line in the reference link. And I think it is comprehensible. Well, about tarball, I am too close, so yes you have probably right, it is better to skip
<zimoun>civodul: the hash used by vault-fetch comes from (revision-directory revision) and the revision comes from lookup-revision, so somehow Guix does not compute the hash and Guix trust SWH, verifying then the integrity. Right?
<civodul>zimoun: yes, Guix always verifies the integrity of the thing it downloads
<civodul>so we don't need to trust the server or the method used to produce the result
<zimoun>yes but we are not sure that SWH always returns the expected Git content. I mean it is the same issue than the tarball
<civodul>that's OK: if SWH (or git, or tar, etc.) returns garbage, this is detected and an error is raised
<zimoun>yes so it is the exact same problem for Git-reference and for Tarball. Guix sends to SWH an hash (commit-hash or checksum) and SWH returns content then Guix checks the integrity. I do not see why tarball is more problematic than git.