New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fetchurl: allow empty hash #89885
fetchurl: allow empty hash #89885
Conversation
Meant as a companion to NixOS/nix#3674 This just resets outputHash if nothing is passed in.
c9d073a
to
a528cc1
Compare
We can use cacert to validate that the data passes SSL certificates. Normally, this doesn’t happen because we already have the hash, but in the hash = "" case we don’t.
With these PRs, we can amend our tutorials to tell people to always comment out the hash when changing the URL to avoid MITM attacks. |
*This should probably only be merged after a Nix release contains NixOS/nix@762273f. |
@matthewbauer I think I'm hitting an error on this: Output (expand for `--show-trace` output):
I'm running nix-2.3.7 (which I believe to be up to date) and I think no releases of nix currently includes NixOS/nix#3674 |
nevermind, I can actually use a nix unstable release:
|
Yeah - no release contains this, but it's okay since you can get the error directly from Nix instead of Nix. I think you could be hitting a bug though - fetchpypi will probably fail like this with fetchurl/boot.nix. It's been like that since 8074133 though. |
@baloo note there is also
I wish Nixpkgs would evaluate cleanly. |
@FRidh good catch! |
#89885 ensures that fetches are done securely (i.e. without `--insecure`) when the `hash` parameter is one of the four special "fake" hashes. However the manual was not updated in that PR. This commit updates the manual to account for the already-merged changes from that PR. Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
Meant as a companion to NixOS/nix#3674
This just resets outputHash if nothing is passed in.
Motivation for this change
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)