Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fetchurl: allow empty hash #89885

Merged
merged 4 commits into from Jul 6, 2020
Merged

fetchurl: allow empty hash #89885

merged 4 commits into from Jul 6, 2020

Conversation

matthewbauer
Copy link
Member

Meant as a companion to NixOS/nix#3674

This just resets outputHash if nothing is passed in.

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@matthewbauer
fetchurl: allow empty hash
f2e9046 
Meant as a companion to NixOS/nix#3674

This just resets outputHash if nothing is passed in.
@ofborg ofborg bot added the 6.topic: fetch label Jun 9, 2020
@matthewbauer
fetchurl: only allow empty hash when cacert is available
0046802 
We can use cacert to validate that the data passes SSL certificates.
Normally, this doesn’t happen because we already have the hash, but in
the hash = "" case we don’t.
@Ericson2314
Copy link
Member

With these PRs, we can amend our tutorials to tell people to always comment out the hash when changing the URL to avoid MITM attacks.

@matthewbauer
Copy link
Member Author

*This should probably only be merged after a Nix release contains NixOS/nix@762273f.

@matthewbauer matthewbauer merged commit a2c2a86 into NixOS:master Jul 6, 2020
@baloo
Copy link
Member

baloo commented Aug 2, 2020
edited

@matthewbauer I think I'm hitting an error on this:

Output (expand for `--show-trace` output): 
$ nix eval nixpkgs.tmux
error: anonymous function at /home/baloo/dev/nixpkgs/pkgs/build-support/fetchurl/boot.nix:5:1 called with unexpected argument 'hash', at /home/baloo/dev/nixpkgs/pkgs/development/interpreters/python/fetchpypi.nix:26:6
(use '--show-trace' to show detailed location information)

$ nix eval --show-trace nixpkgs.tmux
trace: lib.zip is deprecated, use lib.zipAttrsWith instead
trace: `lib.nixpkgsVersion` is deprecated, use `lib.version` instead!
trace: `types.list` is deprecated; use `types.listOf` instead
trace: warning: types.string is deprecated because it quietly concatenates strings
trace: types.optionSet is deprecated; use types.submodule instead
trace: Warning: `showVal` is deprecated and will be removed in the next release, please use `traceSeqN`
trace: `mkStrict' is obsolete; use `mkOverride 0' instead.
error: while evaluating the attribute 'out' at /home/baloo/dev/nixpkgs/lib/customisation.nix:153:11:
while evaluating the attribute 'drvAttrs' at /nix/store/6annsr58zdx7w6zwda1zc7rpl6m1md2p-nix-2.3.7/share/nix/corepkgs/derivation.nix:12:14:
while evaluating the attribute 'stdenv' at /home/baloo/dev/nixpkgs/pkgs/stdenv/generic/make-derivation.nix:202:18:
while evaluating the attribute 'out' at /nix/store/6annsr58zdx7w6zwda1zc7rpl6m1md2p-nix-2.3.7/share/nix/corepkgs/derivation.nix:17:7:
while evaluating the attribute 'drvAttrs' at /nix/store/6annsr58zdx7w6zwda1zc7rpl6m1md2p-nix-2.3.7/share/nix/corepkgs/derivation.nix:12:14:
while evaluating the attribute 'initialPath' at /home/baloo/dev/nixpkgs/pkgs/stdenv/generic/default.nix:114:14:
while evaluating the attribute 'out' at /home/baloo/dev/nixpkgs/lib/customisation.nix:153:11:
while evaluating the attribute 'drvAttrs' at /nix/store/6annsr58zdx7w6zwda1zc7rpl6m1md2p-nix-2.3.7/share/nix/corepkgs/derivation.nix:12:14:
while evaluating the attribute 'stdenv' at /home/baloo/dev/nixpkgs/pkgs/stdenv/generic/make-derivation.nix:202:18:
while evaluating the attribute 'out' at /nix/store/6annsr58zdx7w6zwda1zc7rpl6m1md2p-nix-2.3.7/share/nix/corepkgs/derivation.nix:17:7:
while evaluating the attribute 'drvAttrs' at /nix/store/6annsr58zdx7w6zwda1zc7rpl6m1md2p-nix-2.3.7/share/nix/corepkgs/derivation.nix:12:14:
while evaluating the attribute 'defaultNativeBuildInputs' at /home/baloo/dev/nixpkgs/pkgs/stdenv/generic/default.nix:114:14:
while evaluating the attribute 'out' at /home/baloo/dev/nixpkgs/lib/customisation.nix:153:11:
while evaluating the attribute 'drvAttrs' at /nix/store/6annsr58zdx7w6zwda1zc7rpl6m1md2p-nix-2.3.7/share/nix/corepkgs/derivation.nix:12:14:
while evaluating the attribute 'stdenv' at /home/baloo/dev/nixpkgs/pkgs/stdenv/generic/make-derivation.nix:202:18:
while evaluating the attribute 'out' at /nix/store/6annsr58zdx7w6zwda1zc7rpl6m1md2p-nix-2.3.7/share/nix/corepkgs/derivation.nix:17:7:
while evaluating the attribute 'drvAttrs' at /nix/store/6annsr58zdx7w6zwda1zc7rpl6m1md2p-nix-2.3.7/share/nix/corepkgs/derivation.nix:12:14:
while evaluating the attribute 'defaultNativeBuildInputs' at /home/baloo/dev/nixpkgs/pkgs/stdenv/generic/default.nix:114:14:
while evaluating the attribute 'out' at /home/baloo/dev/nixpkgs/lib/customisation.nix:153:11:
while evaluating the attribute 'drvAttrs' at /nix/store/6annsr58zdx7w6zwda1zc7rpl6m1md2p-nix-2.3.7/share/nix/corepkgs/derivation.nix:12:14:
while evaluating the attribute 'bintools' at /home/baloo/dev/nixpkgs/pkgs/build-support/cc-wrapper/default.nix:99:10:
while evaluating the attribute 'out' at /home/baloo/dev/nixpkgs/lib/customisation.nix:153:11:
while evaluating the attribute 'drvAttrs' at /nix/store/6annsr58zdx7w6zwda1zc7rpl6m1md2p-nix-2.3.7/share/nix/corepkgs/derivation.nix:12:14:
while evaluating the attribute 'bintools_bin' at /home/baloo/dev/nixpkgs/pkgs/build-support/bintools-wrapper/default.nix:82:10:
while evaluating the attribute 'out' at /home/baloo/dev/nixpkgs/lib/customisation.nix:153:11:
while evaluating the attribute 'drvAttrs' at /nix/store/6annsr58zdx7w6zwda1zc7rpl6m1md2p-nix-2.3.7/share/nix/corepkgs/derivation.nix:12:14:
while evaluating the attribute 'nativeBuildInputs' at /home/baloo/dev/nixpkgs/pkgs/stdenv/generic/make-derivation.nix:218:11:
while evaluating the attribute 'out' at /home/baloo/dev/nixpkgs/lib/customisation.nix:153:11:
while evaluating the attribute 'drvAttrs' at /nix/store/6annsr58zdx7w6zwda1zc7rpl6m1md2p-nix-2.3.7/share/nix/corepkgs/derivation.nix:12:14:
while evaluating the attribute 'nativeBuildInputs' at /home/baloo/dev/nixpkgs/pkgs/stdenv/generic/make-derivation.nix:218:11:
while evaluating the attribute 'out' at /home/baloo/dev/nixpkgs/lib/customisation.nix:153:11:
while evaluating the attribute 'all' at /home/baloo/dev/nixpkgs/lib/customisation.nix:149:12:
while evaluating the attribute 'pkgs' at /home/baloo/dev/nixpkgs/pkgs/development/interpreters/perl/default.nix:110:7:
while evaluating the attribute 'version' at /home/baloo/dev/nixpkgs/pkgs/top-level/perl-packages.nix:22348:3:
while evaluating the attribute 'out' at /home/baloo/dev/nixpkgs/lib/customisation.nix:153:11:
while evaluating the attribute 'drvAttrs' at /nix/store/6annsr58zdx7w6zwda1zc7rpl6m1md2p-nix-2.3.7/share/nix/corepkgs/derivation.nix:12:14:
while evaluating the attribute 'buildInputs' at /home/baloo/dev/nixpkgs/pkgs/stdenv/generic/make-derivation.nix:221:11:
while evaluating the attribute 'out' at /home/baloo/dev/nixpkgs/lib/customisation.nix:153:11:
while evaluating the attribute 'all' at /home/baloo/dev/nixpkgs/lib/customisation.nix:149:12:
while evaluating the attribute 'pkgs' at /home/baloo/dev/nixpkgs/pkgs/development/interpreters/perl/default.nix:110:7:
while evaluating the attribute 'perlPackages' at /home/baloo/dev/nixpkgs/pkgs/top-level/perl-packages.nix:22:3:
while evaluating the attribute 'OpenGL' at /home/baloo/dev/nixpkgs/pkgs/top-level/perl-packages.nix:14917:3:
while evaluating the attribute 'outPath' at /home/baloo/dev/nixpkgs/lib/customisation.nix:164:7:
while evaluating the attribute 'buildInputs' of the derivation 'perl5.30.3-OpenGL-0.70' at /home/baloo/dev/nixpkgs/pkgs/stdenv/generic/make-derivation.nix:192:11:
while evaluating the attribute 'propagatedBuildInputs' of the derivation 'glu-9.0.1' at /home/baloo/dev/nixpkgs/pkgs/stdenv/generic/make-derivation.nix:192:11:
while evaluating the attribute 'buildCommand' of the derivation 'libGL-1.3.1' at /home/baloo/dev/nixpkgs/pkgs/stdenv/generic/make-derivation.nix:192:11:
while evaluating the attribute 'buildInputs' of the derivation 'libglvnd-1.3.1' at /home/baloo/dev/nixpkgs/pkgs/stdenv/generic/make-derivation.nix:192:11:
while evaluating the attribute 'buildInputs' of the derivation 'libX11-1.6.8' at /home/baloo/dev/nixpkgs/pkgs/servers/x11/xorg/default.nix:706:5:
while evaluating the attribute 'nativeBuildInputs' of the derivation 'xorgproto-2019.1' at /home/baloo/dev/nixpkgs/pkgs/servers/x11/xorg/default.nix:2682:5:
while evaluating the attribute 'out.outPath' at /home/baloo/dev/nixpkgs/lib/customisation.nix:156:13:
while evaluating the attribute 'nativeBuildInputs' of the derivation 'meson-0.54.2' at /home/baloo/dev/nixpkgs/pkgs/development/interpreters/python/mk-python-derivation.nix:108:3:
while evaluating 'chooseDevOutputs' at /home/baloo/dev/nixpkgs/lib/attrsets.nix:475:22, called from undefined position:
while evaluating 'optionals' at /home/baloo/dev/nixpkgs/lib/lists.nix:270:5, called from /home/baloo/dev/nixpkgs/pkgs/development/interpreters/python/mk-python-derivation.nix:120:8:
while evaluating 'hasSuffix' at /home/baloo/dev/nixpkgs/lib/strings.nix:212:5, called from /home/baloo/dev/nixpkgs/pkgs/development/interpreters/python/mk-python-derivation.nix:120:23:
while evaluating the attribute 'src.name' at /home/baloo/dev/nixpkgs/pkgs/development/tools/build-managers/meson/default.nix:13:3:
while evaluating 'makeOverridable' at /home/baloo/dev/nixpkgs/lib/customisation.nix:67:24, called from /home/baloo/dev/nixpkgs/pkgs/development/tools/build-managers/meson/default.nix:13:9:
while evaluating anonymous function at /home/baloo/dev/nixpkgs/pkgs/development/interpreters/python/fetchpypi.nix:23:21, called from /home/baloo/dev/nixpkgs/lib/customisation.nix:69:16:
anonymous function at /home/baloo/dev/nixpkgs/pkgs/build-support/fetchurl/boot.nix:5:1 called with unexpected argument 'hash', at /home/baloo/dev/nixpkgs/pkgs/development/interpreters/python/fetchpypi.nix:26:6

I'm running nix-2.3.7 (which I believe to be up to date) and I think no releases of nix currently includes NixOS/nix#3674

@baloo
Copy link
Member

baloo commented Aug 2, 2020

nevermind, I can actually use a nix unstable release:

nix-env -i -A nixpkgs.nixUnstable

@matthewbauer
Copy link
Member Author

Yeah - no release contains this, but it's okay since you can get the error directly from Nix instead of Nix.

I think you could be hitting a bug though - fetchpypi will probably fail like this with fetchurl/boot.nix. It's been like that since 8074133 though.

@FRidh
Copy link
Member

FRidh commented Aug 4, 2020

@baloo note there is also

error: --- TypeError ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- nix
in file: /nix/store/5zl5wpzvsg2f0vczimzxhspk6bn4brgx-source/pkgs/build-support/fetchzip/default.nix (17:2)

anonymous function at /nix/store/5zl5wpzvsg2f0vczimzxhspk6bn4brgx-source/pkgs/build-support/fetchurl/boot.nix:5:1 called with unexpected argument 'recursiveHash'

I wish Nixpkgs would evaluate cleanly.

@baloo
Copy link
Member

baloo commented Aug 5, 2020

@FRidh good catch!

@ghost ghost mentioned this pull request Sep 15, 2022
Merged
13 tasks
fricklerhandwerk added a commit that referenced this pull request Oct 12, 2022
@fricklerhandwerk
coding-conventions.chapter.md: update to account for #89885 (#191378)
0d0c03f 
#89885 ensures that fetches are
done securely (i.e. without `--insecure`) when the `hash` parameter is one of
the four special "fake" hashes.  However the manual was not updated in that PR.
This commit updates the manual to account for the already-merged changes from
that PR.

Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ericson2314 Ericson2314 Ericson2314 approved these changes

Assignees
No one assigned
Labels
6.topic: fetch 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@matthewbauer @Ericson2314 @baloo @FRidh