Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nix-store --verify --check-contents #26744

Closed
evrim opened this issue Jun 21, 2017 · 4 comments
Closed

nix-store --verify --check-contents #26744

evrim opened this issue Jun 21, 2017 · 4 comments

Comments

@evrim
Copy link
Contributor

evrim commented Jun 21, 2017

Issue description

Hello, I have the following.

$ nix-store --verify --check-contents reading the Nix store... checking path existence... checking hashes... path ‘/nix/store/np983hlqns3f86vyh710jcfg9hl1baqn-python3-3.5.2’ was modified! expected hash ‘eeb18478c3f2d82316237e0ffbed7d4099a23c8798efab1580e5cd391a123b8c’, got ‘af9bfe9e053f2d335c94f4bb402694da8c28c4e203029dc9786c1defa144053e’ warning: not all errors were fixed

In his thesis, E.Dolstra mentions that the valid paths are fixed and contents should not change. To verify this, he suggests the above command.

In my particular case, nix-store reports an abnormality. Therefore, here are a few questions:

  • Does this mean that somehow python got modified and it is no longer a valid path?
  • How can someone find out the alteration? (ie build it again/diff?)
  • How to evaluate security implications of this?

Thnx for the explanation, much appreciated.
Best,
evrim.

Technical details

  • System: 17.03.1316.412b0a17aa (Gorilla)
    $ nix-store --version nix-store (Nix) 1.11.10
@manveru
Copy link
Contributor

manveru commented Jun 21, 2017

You can run sudo nix-store --repair --verify --check-contents to fix the contents. Modifications of the nix store can happen through various issues, like cosmic rays, disk corruption, crashes, careless superusers, or an act of god, just to name a few.
It's true that in an ideal world the store hashes always exactly match the contents, and the store is usually read-only, but due to the fact that sometimes someone has to actually write the contents to the store in the first place, there's no way to avoid it being mutable in some way (on your normal nixos).

@evrim
Copy link
Contributor Author

evrim commented Jun 23, 2017

Um, what does this --repair function precisely do?

@vcunat
Copy link
Member

vcunat commented Jun 23, 2017

--repair
Fix corrupted or missing store paths by redownloading or rebuilding them. Note that this is slow
because it requires computing a cryptographic hash of the contents of every path in the closure of
the build. Also note the warning under nix-store --repair-path.

@evrim evrim closed this as completed Jul 7, 2017
@nixos-discourse
Copy link

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nix-on-macos-catalina-risks-with-unencrypted-nix-store-possibilities-for-encrypted-nix-store/8134/12

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@manveru @evrim @vcunat @nixos-discourse