Comment by amarant

15 hours ago

Nixos has a pretty solid solution to this issue: key your dependencies with checksums of the content. That way you get the best of both worlds: you always get the exact version you want, and you can share a copy of that exact version with other software that wants to use that exact version too!

6 comments

amarant

JoshTriplett 15 hours ago

Yeah, Nix-like distributions (e.g. guix, lix) do for Linux systems what some language package managers (e.g. cargo) do for individual projects.

dented42 11 hours ago

So it sounds like you don’t get the exact version you want because metadata is thrown away.

rrvsh 4 hours ago

It's a checksum not the content itself

altairprime 13 hours ago

Are the xattr / chattr / umask checksums rolled into the main data fork content or are they hashed separately (or not at all)?

a_t48 10 hours ago
IIRC Nix is checksummed in the hash of the source of the content, not the results.
- microtonal 10 hours ago
  
  Hash of a normalization of the derivation, so this roughly means source, dependencies and the ‘build recipe’. The exception are fixed-output derivations, which are typically content-hashed.
  That said, a lot of work is done in content-addressed hashing, but AFAIK it’s not the default yet.