Merge #128: Add content hashes for pinned channels

46edb39 Add content hashes for pinned channels (Erik Arvstedt)
961e821 Rename contrib/ to helper/ (Erik Arvstedt)

Pull request description:

  Unhashed external content is bad for security and performance (due to
  re-fetches when the cache times out).
  Use this simple fix until #78 is fleshed out.

  For testing, run this in the repo root dir:
  ```bash
  nix eval '(import ./pkgs/nixpkgs-pinned.nix)'
  ```

ACKs for top commit:
  jonasnick:
    ACK 46edb39

Tree-SHA512: cb098a4714aecf00e8d0f9fe6d388b6322416c1d2f8d55b54dc16328145331a87a71fbf68e2faa85105727cbd6370542799f1c2d84ac2bee90a6710b96eba9bd

docs/install.md

@@ -128,7 +128,7 @@ See [usage.md](usage.md) for usage instructions, such as how to update.
 
 To resize the VM disk image, you can use this helper script from within nix-shell:
 ```
-./contrib/vbox-resize-disk1.sh --help
+./helper/vbox-resize-disk1.sh --help
 ```
 ----
 

helper/fetch-channel

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+rev=$1
+sha256=$(nix-prefetch-url --unpack https://github.com/nixos/nixpkgs-channels/archive/$rev.tar.gz)
+echo "rev = \"$rev\";"
+echo "sha256 = \"$sha256\";"

pkgs/nixpkgs-pinned.nix

@@ -1,7 +1,18 @@
 let
-  fetch = rev: builtins.fetchTarball "https://github.com/nixos/nixpkgs-channels/archive/${rev}.tar.gz";
+  fetch = { rev, sha256 }:
+    builtins.fetchTarball {
+      url = "https://github.com/nixos/nixpkgs-channels/archive/${rev}.tar.gz";
+      inherit sha256;
+    };
 in
 {
-  nixpkgs = fetch "27a5ddcf747fb2bb81ea9c63f63f2eb3eec7a2ec";
-  nixpkgs-unstable = fetch "4cd2cb43fb3a87f48c1e10bb65aee99d8f24cb9d";
+  # To update, run ../helper/fetch-channel REV
+  nixpkgs = fetch {
+    rev = "27a5ddcf747fb2bb81ea9c63f63f2eb3eec7a2ec";
+    sha256 = "1bp11q2marsqj3g2prdrghkhmv483ab5pi078d83xkhkk2jh3h81";
+  };
+  nixpkgs-unstable = fetch {
+    rev = "4cd2cb43fb3a87f48c1e10bb65aee99d8f24cb9d";
+    sha256 = "1d6rmq67kdg5gmk94wx2774qw89nvbhy6g1f2lms3c9ph37hways";
+  };
 }