Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

git.sr.hut archive hashes have changed #115397

Closed
logan12358 opened this issue Mar 8, 2021 · 8 comments · Fixed by #116178
Closed

git.sr.hut archive hashes have changed #115397

logan12358 opened this issue Mar 8, 2021 · 8 comments · Fixed by #116178
Labels
0.kind: bug

Comments

@logan12358
Copy link
Contributor

Describe the bug
Sources from archives from https://git.sr.ht fail to download with hash mismatches.

To Reproduce

$ git checkout nixpkgs-unstable # I'm at a2b0ea6865b
$ nix build --option substitute false .#wev.src
error: --- Error --- nix-daemon
hash mismatch in fixed-output derivation '/nix/store/z2i6fs4n9gz37b20l3b146rrjwjcrxqm-1.0.0.tar.gz.drv':
  specified: sha256-bwBN7fP1zhDS/jzSM9WZEnVtigrwISFBWNbsVNZsnW4=
     got:    sha256-YTod8aSHnVDOcgI94UqvBb4ub1E0boSmn1D8bYUCu/Q=

Expected behavior
The hash should match and the source should download.

Additional context
It sounds like the production Sourcehut instance upgraded last month, causing changes to all generated archives (to come in-line with GNU gzip).

I've determined some packages which this affects (listed in "Maintainer information") by grep -r 'git.sr.ht'.

I'm happy to have a go making a PR for all of these packages with the following process:

  1. Retrieve archive from cache (by nix build with subsituters)
  2. Retrieve archive from git.sr.ht
  3. Decompress both and confirm tar files are identical
  4. Update hash according to newly retrieved archive

But if there's a better process, please let me know :)

Notify maintainers
@tadeokondrak
@fgaz
@sikmir
@primeos
@berbiche

Metadata

  • system: "x86_64-linux"
  • host os: Linux 5.10.10, NixOS, 21.03.20210125.891f607 (Okapi)
  • multi-user?: yes
  • sandbox: yes
  • version: nix-env (Nix) 2.4pre20201205_a5d85d0
  • channels(root): "nixos-20.03.2015.e7752db2fb6, nixos-unstable-20.09pre227577.135073a87b7"
  • nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
- aerc
- castor
- asuka
- scdoc
- wlsunset
- wev
- wshowkeys
# a list of nixos modules affected by the problem
module:
@fgaz
Copy link
Member

fgaz commented Mar 8, 2021

Sounds good

@symphorien
Copy link
Member

I think it is preferable to switch all affected derivations to fetchzip. This should prevent this from happening again, if the actual content of the tarball is the same.
Even better, you could add a fetchFromSourceHut function which uses fetchzip under the hood, like fetchFromGitHub and fetchFromGitLab. This would encourage people not to use fetchurl to fetch procedurally generated tarballs from sourcehut.

@fgaz
Copy link
Member

fgaz commented Mar 8, 2021
edited

From a quick look at the ticket, this is supposed to be a one-time change to make the hash the same as in other forges though

Even better, you could add a fetchFromSourceHut function

#102225

@primeos
Copy link
Member

primeos commented Mar 8, 2021
edited

But if there's a better process, please let me know :)

I think getting the new hashes with e.g. nix-prefetch-url -A scdoc.src should be enough (fetches securely via HTTPS and we should be able to trust sr.ht that the contents remain unchanged).

Even better, you could add a fetchFromSourceHut function

+1, that seems like the best (long-term) solution.

Edit: And IMO we should keep using .tar.gz archives (e.g. because it's consistent with the GitHub and GitLab fetchers) and should indeed be fine now: https://todo.sr.ht/~sircmpwn/git.sr.ht/232#event-71523.

@symphorien
Copy link
Member

this is supposed to be a one-time change

the point is: with fetchzip, we don't have to trust this pinky promise (I mean, I'm sure that they intend to keep it, but it could break unwillingly). That's exactly why fetchzip exists in the first place.

So 👎 on fixes keeping fetchurl.

@primeos
Copy link
Member

primeos commented Mar 10, 2021

@symphorien oh, my bad, I didn't read your comment carefully enough :o I thought you've meant zip vs. .tar.gz (which didn't make much sense) but realized now that it was fetchzip vs. fetchurl. 👍 for that then :)

@symphorien not sure if we should have this discussion here as this seems like a general issue. AFAIK most fetchers (e.g. for GitHub and GitLab) download the .tar.gz archives instead of .zip (though at least fetchFromGitHub extracts the archive so it doesn't really matter). Anyway, #102225 will extract the archives too so that should be fine as well :)

@primeos primeos mentioned this issue Mar 10, 2021
Merged
10 tasks
@fgaz
Copy link
Member

fgaz commented Mar 11, 2021

oh, my bad, I didn't read your comment carefully enough :o I thought you've meant zip vs. .tar.gz

Hah, same. 👍 too then

@primeos
Copy link
Member

primeos commented Mar 11, 2021

@logan12358 #102225 is merged now so you could submit a PR to switch the affected attributes/packages to the new fetchFromSourcehut (s. 2b9f10d). I can also take care of it if you want.

@logan12358 logan12358 mentioned this issue Mar 13, 2021
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0.kind: bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

aerc, asuka, scdoc, wev, wlsunset, wshowkeys: use fetchFromSourceHut logan12358/nixpkgs
4 participants
@logan12358 @primeos @fgaz @symphorien