New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nix-universal-prefetch: init at 0.2.0 #53436
Conversation
license = licenses.mit; | ||
maintainers = with maintainers; [ samueldr ]; | ||
platforms = platforms.linux ++ platforms.darwin; | ||
inherit version; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Out of curiosity, why put the version
in the meta
? It's already an attribute on the derivation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Frankly, you'd have to ask me past July, when I added nix-top
as I copied its derivation and removed what wasn't required, while not really looking at meta
. I must have had a brain fart when implementing that.
This looks neat! Another use-case you may not have considered, besides re-verifying TOFU hashes: when nix already has the |
e4a0b94
to
c15e791
Compare
pkgs/tools/package-management/nix-universal-prefetch/default.nix
Outdated
Show resolved
Hide resolved
c15e791
to
8bb213e
Compare
8bb213e
to
b371be5
Compare
The update (0.2.0) adds support for nix 2.2's new error message. It also supports All this is now tested, though not tested in this build as the test is made using nix. |
Another case when universal prefetcher would be better then url prefetcher e36b4d6 |
Though, to be honest, it is not true:
This prefetcher is TOFU, but hidden from eyes. What would be extra awesome, if in next iteration:
Then we can make this an "officially blessed" prefetcher and mention in docs. |
You're right, not not-TOFU since it's TOFU, but automated for you, but isn't And right again, this would need the implementation details of further checks to be made in nixpkgs, since there is no introspection possible here as to making further checks. samueldr/nix-universal-prefetch#1 is a tracking issue if you want to reference it in the future. As for autocomplete, there's an annoying hard problem here: there is no way to introspect deep enough to show all arguments. Let's use And thanks for the interest :). |
I have been working on my own idea for @danbst Could you give me more information about that TLS support, I like to implement your suggestion. Also with regards to auto complete, I have not implemented it yet, but I do have all the information available to make it work, even considering the problem mentioned by @samueldr. The only limitation being is that for fetchers (mine supports both pointing to fetchers and extending existing fetcher calls, like package sources), I would need to keep a list of valid bogus values, or else risk producing errors. |
@msteen it is basically set here: https://github.com/NixOS/nix/blob/800cd55ab74fffe9a1d212c2b8caf4024ebd98b6/src/libstore/download.hh#L16 Pretty impressed, that there are now 2 implementations of same concept! |
@msteen re: TLS: all (if I remember correctly; in any case, most) of the Nixpkgs fetchers intended for direct use in packages do not verify certificates; the assumption is that if hash is given, why bother how the content was obtained — and size leaks do indeed kill all or almost all privacy when downloading tarballs (size leaks can even damage privacy of encrypted VoIP, and popular tarballs on a single server are known to attackers in advance). With TOFU that means zero MITM protection. The main benefit is probably that an old Nixpkgs checkout without fresh certificates can still build something. I think, given the popularity of manual TOFU which is not going to disappear overnight, we should convert all the fetchers to opt-out certificate checking: the default is to check, but there are both a fetcher parameter and a global option to skip verification (the first is useful for packages with known-non-trivial setups, like special-purposes CA certificates; the second is useful in case Nixpkgs checkout is too old) |
Upstream URL: https://github.com/samueldr/nix-universal-prefetch
Motivation for this change
Let's hopefully have users use this!
This software is intended to resolve once and for all the question "but I don't want to TOFU?" (which isn't even a question!) when end-users want to get the hash to use with a specific fetcher.
This, in addition, could be used with automated scripts to reduce hand-holding when the fetchers aren't simple underneath.
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)Additionally, I ate my own dogfood when making this PR, and did not TOFU the hash, but instead ran: