Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upGet rid of sha1 for fixed-output derivations in nixpkgs #77238
Comments
related to: NixOS#77238
related NixOS#77238
related NixOS#77238
related NixOS#77238
This comment has been minimized.
This comment has been minimized.
|
We can script most of this by using
|
This comment has been minimized.
This comment has been minimized.
|
@grahamc Thanks for looking into this. I think these types of security related fixes are important! I was wondering how you determined the list of files using sha1? I wanted to fix the haskell-related files ( |
This comment has been minimized.
This comment has been minimized.
|
I did a simple search of |
This comment has been minimized.
This comment has been minimized.
|
Once we clean up all the generators, we can rerun with |
This comment has been minimized.
This comment has been minimized.
|
All the packages in For example, acorn 4.0.13 doesn't have a sha512 hash:
{
"shasum": "105495ae5361d697bd195c825192e1ad7f253787",
"tarball": "https://registry.npmjs.org/acorn/-/acorn-4.0.13.tgz"
}but version 7.1.0 does:
{
"integrity": "sha512-kL5CuoXA/dgxlBbVrflsflzQ3PAas7RYZB52NOm/6839iVYJgKMJ3cQJD+t2i5+qFa8h3MDpEOJiS64E8JLnSQ==",
"shasum": "949d36f2c292535da602283586c2477c57eb2d6c",
"tarball": "https://registry.npmjs.org/acorn/-/acorn-7.1.0.tgz",
"fileCount": 11,
"unpackedSize": 1104477,
"npm-signature": "-----BEGIN PGP SIGNATURE-----\r\nVersion: OpenPGP.js v3.0.4\r\nComment: https://openpgpjs.org\r\n\r\nwsFcBAEBCAAQBQJdibjuCRA9TVsSAnZWagAAmQgQAIkJPo9i+wdBLLZY8yjT\nHI82RsWU5OvIQxhE6H9qLiEfF57ZSn3LfKVugsEocc84loCiJkkd7vsGsidJ\nRMbkEIK2ENjH1VcUHdHq8PnA/HgnMgHNq6nGg+h6aXLsN/H5SFdyvWedoLXw\n5bwhLbfURV/00bx2himrt/RBNL8SxfowdpQ/ps5+mAWUzLTf7D2+PchYktve\nRJ1lSwpshrgu4AxUdbRmqDEH7+Wm5SutB/EMkQPxQV/sJviFzB8qqFlQopJS\n83RuvIhQb7ZNUQeh5A1+pQocFU+yd227m9tAr69UeES8vinI+0FYVh5GNh0y\nk5MoiQiG3LROtO1RNea0uYGv8W7cU9CK/6MnHbDMUgr+fpEeU/VGItZfOLhB\nTg10PpYCKtQCsF+Z36YLTXgxeWEoRvvKWmJET/MDQzBM/pRzMRpPHiWn6E9T\nl9wt1WLix2qM1jymwaq+0H6hcCtu0ioY7qn4GGeCAfVlBxWYcydNR11Rb++n\nO3oXEqhc8oxKy+hIDHIMDDz/YfCrJ9q7ZzMO9Ie5dzOqeLxty4fbuDeLcD9U\nkbuA+I8dfEFmO2UtRwyx3k9yjX2Tsf2oAC8VOTINN8TXiauyTjWyU//lSKDX\nmUHBDXXZhKWgygi3TMNW7gvmzYuzmDcbkienQeoADvONpCuJNmraVaC33n1h\ncQmj\r\n=blZm\r\n-----END PGP SIGNATURE-----\r\n"
} |
related NixOS#77238 (cherry picked from commit 741db8c)
This comment has been minimized.
This comment has been minimized.
|
texlive: it has one "sha1 =" string but the code is generic – |
Issue description
We're in 2020 and:
Biggest usage of sha1 is files generated for Node packages:
Steps to resolve, higher level
Files to address
pkgs/applications/graphics/gcolor2/default.nixpkgs/applications/networking/browsers/mozilla-plugins/google-talk-plugin/default.nixpkgs/applications/networking/cluster/spacegun/node-packages.nixpkgs/applications/networking/instant-messengers/matrix-recorder/node-packages.nixpkgs/applications/networking/instant-messengers/riot/riot-desktop-yarndeps.nixpkgs/applications/office/grisbi/default.nixpkgs/applications/version-management/gitlab/yarnPkgs.nixpkgs/build-support/vm/rpm/rpm-closure.plpkgs/development/compilers/elm/packages/node-packages.nixpkgs/development/compilers/graalvm/default.nixpkgs/development/haskell-modules/configuration-common.nix(false positive)pkgs/development/haskell-modules/configuration-hackage2nix.yaml(false positive)pkgs/development/libraries/wxsqlite3/default.nixpkgs/development/libraries/wxsqliteplus/default.nixpkgs/development/misc/google-clasp/node-packages.nixpkgs/development/mobile/androidenv/convertaddons.xslpkgs/development/mobile/androidenv/convertpackages.xslpkgs/development/mobile/androidenv/convertsystemimages.xslpkgs/development/mobile/androidenv/generated/addons.nixpkgs/development/mobile/androidenv/generated/packages.nixpkgs/development/mobile/androidenv/generated/system-images-android.nixpkgs/development/mobile/androidenv/generated/system-images-android-tv.nixpkgs/development/mobile/androidenv/generated/system-images-android-wear-cn.nixpkgs/development/mobile/androidenv/generated/system-images-android-wear.nixpkgs/development/mobile/androidenv/generated/system-images-google_apis.nixpkgs/development/mobile/androidenv/generated/system-images-google_apis_playstore.nixpkgs/development/node-packages/node-packages-v10.nixpkgs/development/node-packages/node-packages-v12.nixpkgs/development/node-packages/node-packages-v13.nixpkgs/development/tools/unity3d/default.nixpkgs/development/tools/yarn2nix-moretea/yarn2nix/lib/generateNix.jspkgs/development/tools/yarn2nix-moretea/yarn2nix/yarn.nixpkgs/development/web/remarkjs/node-packages.nixpkgs/misc/base16-builder/node-packages-generated.nixpkgs/servers/gotify/yarndeps.nixpkgs/servers/matrix-synapse/matrix-appservice-slack/node-packages.nixpkgs/servers/monitoring/prometheus/webui-yarndeps.nixpkgs/servers/rippled/package.nixpkgs/servers/web-apps/codimd/yarn.nixpkgs/servers/web-apps/cryptpad/node-packages-generated.nixpkgs/tools/networking/airfield/node-packages.nixpkgs/tools/package-management/nixui/node-packages.nixpkgs/tools/typesetting/tex/texlive/default.nix