New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
lib: add fake hashes #53754
lib: add fake hashes #53754
Conversation
lib/trivial.nix
Outdated
# Generated with `echo|XXXSum` | ||
fakeMd5 = "68b329da9893e34099c7d8ad5cb9c940"; | ||
fakeSha256 = "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"; | ||
fakeSha512 = "be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about just 0s?
Maybe make them more recognisable in output? Something like all 0's or all 1's, so that you know that it isn't the hash you're looking for. (Even better would be a specialised error message that doesn't mention the place-holder, but that would probably be non-trivial to implement) |
lib/trivial.nix
Outdated
@@ -294,4 +294,11 @@ rec { | |||
*/ | |||
isFunction = f: builtins.isFunction f || | |||
(f ? __functor && isFunction (f.__functor f)); | |||
|
|||
# Etalon fake hashes. Can be used as hash placeholders, when computing hash |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is "Etalon"?
lib/trivial.nix
Outdated
@@ -295,8 +295,7 @@ rec { | |||
isFunction = f: builtins.isFunction f || | |||
(f ? __functor && isFunction (f.__functor f)); | |||
|
|||
# Etalon fake hashes. Can be used as hash placeholders, when computing hash |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
French words were fine, but ok :)
thanks @grahamc @Synthetica9 , removed french word and replaced with 0s. Much better! |
This looks great. Can you add something to https://nixos.org/nixpkgs/manual/#chap-quick-start about this, maybe instead of nix-prefetch-* ? |
Does this change our stance about certificate verification in fetchers? (not sure if this is more discoverable than |
@7c6f434c for |
can you explain a bit? |
@7c6f434c That's not really affected by this PR, since it's already an issue whenever you do a |
@danbst Right now (By the way, @edolstra The idea of documenting fake hashes as the primary way of obtaining the correct hash is a bit of a last straw here. @Synthetica9 Yes, but SHA-256 is 256 bits i.e. 64 4-bit nibbles, SHA-512 is 512 bits i.e. 128 nibbles, and MD5 is either something shorter (i.e. 32 nibbles, which is correct) or a reason to reconsider the idea of adding a new MD5-hashed entry… |
lib/trivial.nix
Outdated
@@ -294,4 +294,9 @@ rec { | |||
*/ | |||
isFunction = f: builtins.isFunction f || | |||
(f ? __functor && isFunction (f.__functor f)); | |||
|
|||
# Fake hashes. Can be used as hash placeholders, when computing hash ahead isn't trivial | |||
fakeMd5 = "00000000000000000000000000000000"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's delete the md5 option. People shouldn't use it anymore.
I'm not sure whether |
04c8405
to
3642c3d
Compare
@edolstra done @7c6f434c @grahamc |
lib/trivial.nix
Outdated
@@ -294,4 +294,5 @@ rec { | |||
*/ | |||
isFunction = f: builtins.isFunction f || | |||
(f ? __functor && isFunction (f.__functor f)); | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably should not touch this file if it's going in misc
Fake hashes can be used as placeholders for all the places, where Nix expression requires a hash, but we don't yet have one. This should be more convenient than following: - echo|sha256sum, copy into clipboard, go to editor, paste into previously edited place - search nixpkgs for a random package, copy it's hash to cliboard, go to editor, paste into previously edited place Nix can add support for these fake hashes. In that case printed error should contain only 1 hash, so no more problem "which of two hashes from error should I use?" Idea by irc:Synthetica
3642c3d
to
68a6b47
Compare
So what is the correct way to do this, and where is it documented? And is it actually more ergonomic than this "hack"? |
Thanks. I feel like there should probably be a more streamlined utility for this purpose, though... one that can deal with all source variants automatically in a single command. Right now, using an all-zeroes hash is still the easiest "just works" method :/ |
I think I am generally for Any drawbacks? |
Don't see any. I imagine only a situation, when system hadn't been updated for ages, and all certificates invalidated. Trying to upgrade stuff in this scenario may not work (but should work with current solution). Even if it is done, not every url is |
Don't see any. I imagine only a situation, when system hadn't been updated for ages, and all certificates invalidated. Trying to upgrade stuff in this scenario may not work (but should work with current solution).
This is why a global switch to skip validation is useful; but I am not sure anything beyond a config option is needed for this case (it's not like we want to encourage this use case…)
Even if it is done, not every url is `https`, so fake-hash method usage still is insecure when applied blindly.
Well, even nix-prefetch-url on https URLs doesn't catch all the most likely attacks (starting with a server compromise).
And with http nothing convenient can do even as much verification.
I don't think we can solve anything cheaply (a Nixpkgs verification service checking upstream tarball consistency across time and source networks would be cool, but complicated, and still wouldn't be enough, in a sense), but maybe switching verification on is a cheap (small) net improvement.
|
Etalon fake hashes can be used as placeholders for all the places, where
Nix expression requires a hash, but we don't yet have one.
This should replace all current ways to do that:
echo|sha256sum
, copy into clipboard, go to editor, paste into previouslyedited place
editor, paste into previously edited place
Nix can add support for etalon fake hashes. In that case printed error should contain
only 1 hash, so no more problem "which of two hashes from error should I use?"
Idea by irc:Synthetica