[amarant]

Nixos has a pretty solid solution to this issue: key your dependencies with checksums of the content. That way you get the best of both worlds: you always get the exact version you want, and you can share a copy of that exact version with other software that wants to use that exact version too!

[JoshTriplett]

Yeah, Nix-like distributions (e.g. guix, lix) do for Linux systems what some language package managers (e.g. cargo) do for individual projects.

[dented42]

So it sounds like you don’t get the exact version you want because metadata is thrown away.

[amarant]

Curious, what is your software doing that it depends on specific metadata in your dependencies? What metadata do you require? Most files metadata is stuff like created timestamp, last edit timestamp, read/write/execute permissions..

I'm just trying to think of a case where metadata would be relevant in a dependency?

[rrvsh]

It's a checksum not the content itself

[altairprime]

Are the xattr / chattr / umask checksums rolled into the main data fork content or are they hashed separately (or not at all)?

[a_t48]

IIRC Nix is checksummed in the hash of the source of the content, not the results.

[microtonal]

Hash of a normalization of the derivation, so this roughly means source, dependencies and the ‘build recipe’. The exception are fixed-output derivations, which are typically content-hashed.

That said, a lot of work is done in content-addressed hashing, but AFAIK it’s not the default yet.