Nixpkgs: Shady urls in texlive

Yeah we need to mirror it ourselves, upstream only hosts latest (rolling) IIRC. Search for related issues turns up a number of discussions:

https://github.com/NixOS/nixpkgs/issues/24683
https://github.com/NixOS/nixpkgs/issues/27100

https://github.com/NixOS/nixpkgs/issues/10026#issuecomment-142836035

Aaaand I just figured out how to use github's blame feature and got to the merge request jumping through a few hoops. https://github.com/NixOS/nixpkgs/pull/30332 You learn something new every day.

Would be nice if there was a comment or something.

That's a good idea, can you submit a PR adding a note about this?

Not shady really (esp since they're fixed-output so shouldn't matter where the bits are fetched from, mostly) but certainly not self-explanatory :).

Well it's shady if you don't have a legitimate source corroborating the hash no? :P
I don't actually see offhand where any hashes one could check are defined here...

Well, I can try submitting a PR but you know your way around this a lot better than I do.

Well it's shady if you don't have a legitimate source corroborating the hash no? :P
I don't actually see offhand where any hashes one could check are defined here...

Ah. Fair enough.

Well, I can try submitting a PR but you know your way around this a lot better than I do.

Haha, okay I understand --we've all been where you are before :). If you think you might stick around, something like this can be a good way to gain familiarity and close the gap that prevents contributions next time something bugs ya. For everyone's benefit.

But I wouldn't mind, just LMK (here or on IRC since we're chatting there...)

@22459 As far as I understand we use same tarballs that are intended to be used by tlmgr and those are rolling-release only. There are also source files that doesn't seem to be updated [1] or you could probably fetch them from SVN [2]. This will probably require some major change to how our texlive is built.

As far as URL's go, they, indeed, don't point to any of the official sources. On the other hand, nix checks all the hashes for downloads so one can possibly audit those downloads for specific version of nixpkgs. I'm not sure if anybody does that, so de-facto, it seems, we are just trusting our maintainer (who, in this instance, is me) that they mirrored texlive packages as they were at the time. If you don't want to rely on trusting a maintainer you could: locally bump texlive version to use upstream rolling-release (there is a script [3] to bump the hashes), or you could work on changing texlive infrastructure in nixpkgs to use the official mirrors.

[1] http://ftp.math.utah.edu/pub/tex/historic/systems/texlive/2017/
[2] https://tug.org/texlive/svn/
[3] https://github.com/NixOS/nixpkgs/blob/eefa8d4191c113e8c325ff799bd2ac04e93a7e09/pkgs/tools/typesetting/tex/texlive/default.nix#L39-L40