Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

manual: document ways of obtaining source hashes #53785

Merged
merged 2 commits into from Jan 17, 2019

Conversation

Projects
None yet
5 participants
@danbst
Copy link
Contributor

commented Jan 11, 2019

... and security nuances.

Related: #53754

cc @7c6f434c @grahamc

@samueldr

This comment has been minimized.

Copy link
Member

commented Jan 11, 2019

Rendered with state as of 663b8cc

image

</para>
<para>
This works well when you've upgraded existing package version and want to
find out new hash, but is useless if package doesn't have top-level

This comment has been minimized.

Copy link
@7c6f434c

7c6f434c Jan 11, 2019

Member

It's not so much a question of top-level attribute, as of being accessible via an attribute path.

</itemizedlist>

<section xml:id="sec-source-hashes-security">
<title>Obtaining hashes securely</title>

This comment has been minimized.

Copy link
@7c6f434c

7c6f434c Jan 11, 2019

Member

Maybe note that the threat model discussed here is MITM close to the developer's network?

Whatever you do, MITM close to the server side (or a succesful server intruder) can even get a «valid» certificate via DV…

@7c6f434c

This comment has been minimized.

Copy link
Member

commented Jan 11, 2019

Technically speaking, there is a one more crazy-ish way of obtaining hashes that I sometimes use: fake hashes + Ctrl-c + copy the URL from the progress output + nix-prefetch-…

This way I do get the exact URL for free, but TLS is checked and the file is only downloaded once.

@7c6f434c

This comment has been minimized.

Copy link
Member

commented Jan 11, 2019

By the way, does git verify correctness of revision hashes by default? Does fetchgit enable/disable this? Fetching a known-good commit hash with no certificate validation might be or not be safe, and in both cases it could be useful to mention.

A little nuance is that <literal>nix-prefetch-*</literal> tools produce
hash encoded with <literal>base32</literal>, but upstream usually provides
hexadecimal (<literal>base16</literal>) encoding. Fetchers understand both
formats. Nixpkgs doesn't stadartize on any one format.

This comment has been minimized.

Copy link
@Mic92

Mic92 Jan 11, 2019

Contributor
Suggested change
formats. Nixpkgs doesn't stadartize on any one format.
formats. Nixpkgs does not standardize on any one format.

@danbst danbst referenced this pull request Jan 14, 2019

Merged

lib: add fake hashes #53754

@danbst

This comment has been minimized.

Copy link
Contributor Author

commented Jan 17, 2019

@Mic92 applied!

@7c6f434c rephrased the security section. Rendered

screenshot from 2019-01-17 12-31-28

@Mic92 Mic92 merged commit c3364fb into NixOS:master Jan 17, 2019

9 checks passed

grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
@Mic92

This comment has been minimized.

Copy link
Contributor

commented Jan 17, 2019

Thanks!

@danbst danbst deleted the danbst:get-hash-doc branch Jan 17, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.