diff options
author | Colin Arnott <colin@urandom.co.uk> | 2022-12-03 19:49:00 +0000 |
---|---|---|
committer | Colin Arnott <colin@urandom.co.uk> | 2022-12-04 06:12:18 +0000 |
commit | bac379f30a6fa1284e48b4224862e0b41ad42199 (patch) | |
tree | 0bad9b7cbe730a740ec027e19d34e1c237f058db /doc/contributing/coding-conventions.chapter.md | |
parent | 88ae5d08250e206aad599c1bb9692bd9b3dd54c2 (diff) | |
download | nixpkgs-bac379f30a6fa1284e48b4224862e0b41ad42199.tar nixpkgs-bac379f30a6fa1284e48b4224862e0b41ad42199.tar.gz nixpkgs-bac379f30a6fa1284e48b4224862e0b41ad42199.tar.bz2 nixpkgs-bac379f30a6fa1284e48b4224862e0b41ad42199.tar.lz nixpkgs-bac379f30a6fa1284e48b4224862e0b41ad42199.tar.xz nixpkgs-bac379f30a6fa1284e48b4224862e0b41ad42199.tar.zst nixpkgs-bac379f30a6fa1284e48b4224862e0b41ad42199.zip |
doc: use sri hash syntax
The nixpkgs manual contains references to both sri hash and explicit sha256 attributes. This is at best confusing to new users. Since the final destination is exclusive use of sri hashes, see nixos/rfcs#131, might as well push new users in that direction gently. Notable exceptions to sri hash support are builtins.fetchTarball, cataclysm-dda, coq, dockerTools.pullimage, elixir.override, and fetchCrate. None, other than builtins.fetchTarball, are fundamentally incompatible, but all currently accept explicit sha256 attributes as input. Because adding backwards compatibility is out of scope for this change, they have been left intact, but migration to sri format has been made for any using old hash formats. All hashes have been manually tested to be accurate, and updates were only made for missing upstream artefacts or bugs.
Diffstat (limited to 'doc/contributing/coding-conventions.chapter.md')
-rw-r--r-- | doc/contributing/coding-conventions.chapter.md | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/doc/contributing/coding-conventions.chapter.md b/doc/contributing/coding-conventions.chapter.md index a5f2ae2822f..d6f6cfe2358 100644 --- a/doc/contributing/coding-conventions.chapter.md +++ b/doc/contributing/coding-conventions.chapter.md @@ -426,9 +426,10 @@ In the file `pkgs/top-level/all-packages.nix` you can find fetch helpers, these ```nix src = fetchgit { + url = "git@github.com:NixOS/nix.git" url = "git://github.com/NixOS/nix.git"; rev = "1f795f9f44607cc5bec70d1300150bfefcef2aae"; - sha256 = "1cw5fszffl5pkpa6s6wjnkiv6lm5k618s32sp60kvmvpy7a2v9kg"; + hash = "sha256-7D4m+saJjbSFP5hOwpQq2FGR2rr+psQMTcyb1ZvtXsQ="; } ``` @@ -438,7 +439,7 @@ In the file `pkgs/top-level/all-packages.nix` you can find fetch helpers, these src = fetchgit { url = "https://github.com/NixOS/nix.git"; rev = "1f795f9f44607cc5bec70d1300150bfefcef2aae"; - sha256 = "1cw5fszffl5pkpa6s6wjnkiv6lm5k618s32sp60kvmvpy7a2v9kg"; + hash = "sha256-7D4m+saJjbSFP5hOwpQq2FGR2rr+psQMTcyb1ZvtXsQ="; } ``` @@ -449,14 +450,14 @@ In the file `pkgs/top-level/all-packages.nix` you can find fetch helpers, these owner = "NixOS"; repo = "nix"; rev = "1f795f9f44607cc5bec70d1300150bfefcef2aae"; - sha256 = "1i2yxndxb6yc9l6c99pypbd92lfq5aac4klq7y2v93c9qvx2cgpc"; + hash = "ha256-7D4m+saJjbSFP5hOwpQq2FGR2rr+psQMTcyb1ZvtXsQ=; } ``` When fetching from GitHub, commits must always be referenced by their full commit hash. This is because GitHub shares commit hashes among all forks and returns `404 Not Found` when a short commit hash is ambiguous. It already happens for some short, 6-character commit hashes in `nixpkgs`. It is a practical vector for a denial-of-service attack by pushing large amounts of auto generated commits into forks and was already [demonstrated against GitHub Actions Beta](https://blog.teddykatz.com/2019/11/12/github-actions-dos.html). -Find the value to put as `sha256` by running `nix-shell -p nix-prefetch-github --run "nix-prefetch-github --rev 1f795f9f44607cc5bec70d1300150bfefcef2aae NixOS nix"`. +Find the value to put as `hash` by running `nix-shell -p nix-prefetch-github --run "nix-prefetch-github --rev 1f795f9f44607cc5bec70d1300150bfefcef2aae NixOS nix"`. ## Obtaining source hash {#sec-source-hashes} @@ -519,7 +520,7 @@ patches = [ (fetchpatch { name = "fix-check-for-using-shared-freetype-lib.patch"; url = "http://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=8f5d285"; - sha256 = "1f0k043rng7f0rfl9hhb89qzvvksqmkrikmm38p61yfx51l325xr"; + hash = "sha256-uRcxaCjd+WAuGrXOmGfFeu79cUILwkRdBu48mwcBE7g="; }) ]; ``` |