diff options
author | nicoo <nicoo@mur.at> | 2023-09-14 16:45:25 +0000 |
---|---|---|
committer | nicoo <nicoo@mur.at> | 2023-10-25 23:14:15 +0000 |
commit | 87c22100a6892b864ff94476f2965a793d8e4282 (patch) | |
tree | 9aca9f12b053dad5a1ab29139db1bb640ee467f3 | |
parent | c8c3423a38e672dd2fd63e9ccfb372639a63ca27 (diff) | |
download | nixpkgs-87c22100a6892b864ff94476f2965a793d8e4282.tar nixpkgs-87c22100a6892b864ff94476f2965a793d8e4282.tar.gz nixpkgs-87c22100a6892b864ff94476f2965a793d8e4282.tar.bz2 nixpkgs-87c22100a6892b864ff94476f2965a793d8e4282.tar.lz nixpkgs-87c22100a6892b864ff94476f2965a793d8e4282.tar.xz nixpkgs-87c22100a6892b864ff94476f2965a793d8e4282.tar.zst nixpkgs-87c22100a6892b864ff94476f2965a793d8e4282.zip |
stdenv.mkDerivation: Reject MD5 hashes
While there is no fetcher or builder (in nixpkgs) that takes an `md5` parameter, for some inscrutable reason the nix interpreter accepts the following: ```nix fetchurl { url = "https://www.perdu.com"; hash = "md5-rrdBU2a35b2PM2ZO+n/zGw=="; } ``` Note that neither MD5 nor SHA1 are allowed by the syntax of SRI hashes.
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2311.section.md | 2 | ||||
-rw-r--r-- | pkgs/stdenv/generic/make-derivation.nix | 11 |
2 files changed, 13 insertions, 0 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index bd0d74a8885..c3cb495498d 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -335,6 +335,8 @@ - `services.kea.{ctrl-agent,dhcp-ddns,dhcp,dhcp6}` now use separate runtime directories instead of `/run/kea` to work around the runtime directory being cleared on service start. +- `mkDerivation` now rejects MD5 hashes. + ## Other Notable Changes {#sec-release-23.11-notable-changes} - The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration. diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index beba687e788..d235ffefaab 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -165,6 +165,17 @@ let , ... } @ attrs: +# Policy on acceptable hash types in nixpkgs +assert attrs ? outputHash -> ( + let algo = + attrs.outputHashAlgo or (lib.head (lib.splitString "-" attrs.outputHash)); + in + if algo == "md5" then + throw "Rejected insecure ${algo} hash '${attrs.outputHash}'" + else + true +); + let # TODO(@oxij, @Ericson2314): This is here to keep the old semantics, remove when # no package has `doCheck = true`. |