New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bye bye MD5 #22101
Bye bye MD5 #22101
Conversation
This was pointing to a broken upstream URL and is a beta release. No dependent in the nixpkgs tree.
libjpeg62 is broken as well
This package has broken upstream url and was only used by warsow
The package is a java library that no other project is using and which upstream source doesn't work. See http://www.program-transformation.org/Tools/JJTraveler
The package is broken since September, doesn't have a maintainer and uses md5 for hashing
The package has: * broken source URL * uses md5 hash * no maintainer * is a library with nobody depending on it
Unfortunately the upstream has gone and I didn't find any replacement sources.
Can we actively prevent people from using md5 going forward? |
Yes we can put an assert in fetch*. Probably a good idea now… Do we want
to allow overriding the assert with a special parameter? Is there
a reason not to block MD5?
|
This PR does a bit more than remove md5... Looks good to me though. |
Yes I can add a commit for that. Recently we had a MD5 usage warning on
fetchurl but it was reverted because it generated too much noise. I suppose
that now it can be adapted and re-introduced.
…On Tue, 24 Jan 2017, 18:03 Michael Raskin, ***@***.***> wrote:
Yes we can put an assert in fetch*. Probably a good idea now… Do we want
to allow overriding the assert with a special parameter? Is there
a reason not to block MD5?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#22101 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAAMsKmD-Jk8g4AUqCWRD0_py-Ei1JlQks5rVjzpgaJpZM4LshY8>
.
|
I'd say we assert on MD5 without an escape hatch and add it to the 17.03 release notes; if someone really wants to use MD5 they can patch nixpkgs themselves. I also think it's be nice to remove MD5 from Nix itself. |
@edolstra was saying that it might be nice to leave md5 in Nix itself to be
able to evaluate old nixpkgs. I'd prefer to hide it behind an opt-in flag
but don't feel too strongly about it.
…On Tue, Jan 24, 2017 at 13:57 Aneesh Agrawal ***@***.***> wrote:
I'd say we assert on MD5 without an escape hatch and add it to the 17.03
release notes; if someone really wants to use MD5 they can patch nixpkgs
themselves.
I also think it's be nice to remove MD5 from Nix itself.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#22101 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAAKPyik1R9Ku3M11ibEWB8j_I53FN65ks5rVkmmgaJpZM4LshY8>
.
|
@@ -40,22 +40,6 @@ let | |||
''; | |||
}; | |||
|
|||
mkDictFromRedIRIS = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for future references: https://github.com/LibreOffice/dictionaries
@@ -59,5 +59,6 @@ stdenv.mkDerivation rec { | |||
license = licenses.unfreeRedistributable; | |||
maintainers = with maintainers; [ astsmtl ]; | |||
platforms = platforms.linux; | |||
broken = true; # Depends on a specific old libjpeg version |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @astsmtl
Motivation for this change
This PR removes all remaining usage of MD5 as a source hash.
I'm being a bit drastic in some cases
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)