New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Archive fetched by fetchFromGitHub is unpacked regardless of hash check #63564
Comments
|
Actually, I think we could also use |
Perhaps a staging PR for changing fetchFromGitHub, and a related issue for correcting the new hashes for all affected packages should be made? |
There are also uses of Closing because there isn't really anything to do. |
Yes, but a lot of packages use |
As far as "uses of |
Looks like you're probably right about there being nothing to do, at least in the scope of nixpkgs. |
Issue description
I was experimenting with fixing the ue4 package, and noticed that the archive, when fetched from fetchFromGitHub is unpacked regardless of the hash check.
Couldn't this be a possible security risk if say, something crazy like a code execution exploit was MITM'd in it's place or something else? (Although, the gzip and tar code is pretty solid)
We should be hash checking the sha256 of the archive before doing anything with it.
The text was updated successfully, but these errors were encountered: