Comment by amarant

14 hours ago

Nixos has a pretty solid solution to this issue: key your dependencies with checksums of the content. That way you get the best of both worlds: you always get the exact version you want, and you can share a copy of that exact version with other software that wants to use that exact version too!

6 comments

amarant

dented42 10 hours ago

So it sounds like you don’t get the exact version you want because metadata is thrown away.

rrvsh 3 hours ago

It's a checksum not the content itself

JoshTriplett 14 hours ago

Yeah, Nix-like distributions (e.g. guix, lix) do for Linux systems what some language package managers (e.g. cargo) do for individual projects.

altairprime 12 hours ago

Are the xattr / chattr / umask checksums rolled into the main data fork content or are they hashed separately (or not at all)?

a_t48 9 hours ago
IIRC Nix is checksummed in the hash of the source of the content, not the results.
- microtonal 9 hours ago
  
  Hash of a normalization of the derivation, so this roughly means source, dependencies and the ‘build recipe’. The exception are fixed-output derivations, which are typically content-hashed.
  That said, a lot of work is done in content-addressed hashing, but AFAIK it’s not the default yet.