Archive fetched by fetchFromGitHub is unpacked regardless of hash check

[Chiiruno]

Issue description

I was experimenting with fixing the ue4 package, and noticed that the archive, when fetched from fetchFromGitHub is unpacked regardless of the hash check.
Couldn't this be a possible security risk if say, something crazy like a code execution exploit was MITM'd in it's place or something else? (Although, the gzip and tar code is pretty solid)
We should be hash checking the sha256 of the archive before doing anything with it.

[FRidh]

fetchFromGitHub uses fetchzip when possible. Zip implementations typically don't produce archives deterministically, thus requiring us taking the hash over the contents of the archive.

[FRidh]

Actually, I think we could also use fetchurl because GitHub can produce other types of tarballs as well. Unfortunately, such a change would invalidate all existing hashes.

[Chiiruno]

Perhaps a staging PR for changing fetchFromGitHub, and a related issue for correcting the new hashes for all affected packages should be made?

[FRidh]

There are also uses of fetchFromGitHub outside Nixpkgs, which should be considered. In principle there is no reason for fetchFromGitHub, one can use fetchurl or fetchgit just fine.

Closing because there isn't really anything to do.

[Chiiruno]

Yes, but a lot of packages use fetchFromGitHub, so I still think this needs to be addressed, unless there is a plan to remove fetchFromGitHub entirely.
Other methods that use fetchzip should be considered for this too where applicable.
I think you should re-open this, it's still a glaring vulnerability.

[Chiiruno]

As far as "uses of fetchFromGitHub outside Nixpkgs" goes, perhaps a notice where applicable to let users know of such a change, and to replace the hash might suffice.

[Chiiruno]

Looks like you're probably right about there being nothing to do, at least in the scope of nixpkgs.
Closing, if anyone has any ideas, feel free to re-open.