Add an optional hash parameter to builtins.fetchGit
#3216
Closed
Commits on Dec 21, 2019
-
Add an optional
hashparameter tobuiltins.fetchGitThis is particularly useful to ensure the purity e.g. of a repo which is pinned to a git tag (tags can be force-pushed which makes builds silently irreproducible) or when trying to evaluate a nix expression without internet connectivity (if the cache-entry is expired, the eval will break as the git repo can't be re-fetched). This change adds an optional `hash` parameter (with an SRI-hash[1]) to the builtin `fetchGit` and checks if there's a content-addressable path which matches the hash (the hash can be determined using `nix to-sri --type sha256 $(nix-prefetch-git ...)`). If no such path exists, it will be attempted to fetch the Git repository in order to compare the hashes. Please note that caching is still used here, so if the repo is already fetched and the only hash in the expression changes, the evaluation will fail pretty fast. [1] https://www.w3.org/TR/SRI/
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.