-
-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stdenv.mkDerivation: Reject MD5 in outputHash #255150
Conversation
Nice! But considering that md5 is practically not used anywhere, we should make sure this doesn't noticeable affect performance. Currently these are the stats, with a 0.22% increase in memory usage. I think this can be improved, I'll make some suggestions. |
37642e1
to
b3f762b
Compare
ea8effa
to
3f2aa17
Compare
@infinisil If the proposed version gets your approval, I can go and squash the last 2 commits. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other than one concern this looks good to me :)
047f793
to
fc98896
Compare
@infinisil Done, and thanks for the feedback. |
P.S. : since this is technically a breaking change to |
That date is mostly meant for breaking changes to builds, but I can merge it before then :) Though indeed since this is technically a breaking change, I guess it wouldn't hurt to write a short note on it in the backwards incompatibilies section of the release notes. Can you do that? |
While there is no fetcher or builder (in nixpkgs) that takes an `md5` parameter, for some inscrutable reason the nix interpreter accepts the following: ```nix fetchurl { url = "https://www.perdu.com"; hash = "md5-rrdBU2a35b2PM2ZO+n/zGw=="; } ``` Note that neither MD5 nor SHA1 are allowed by the syntax of SRI hashes.
fc98896
to
1cabb1c
Compare
Done! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! I'll merge when CI passed :)
Description of changes
make-derivation.nix
.This is necessary, even though
mkDerivation
has nomd5
parameter, as the nix interpreter accepts it inoutputHashAlgo
or in SRI-like hashes such as:Note:
md5
is not valid in SRI hashes, and I reported the underlying bug: NixOS/nix#8982.Things done
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage