Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fetchgit: add SRI hash support #79987

Closed
wants to merge 3 commits into from
Closed

fetchgit: add SRI hash support #79987

wants to merge 3 commits into from

Conversation

jtojnar
Copy link
Member

@jtojnar jtojnar commented Feb 13, 2020
edited
Loading

Motivation for this change

Sync fetchgit's hash support with fetchurl's to add support for SRI hashes (introduced in 267c8d6).

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

edolstra
edolstra reviewed Feb 13, 2020
View reviewed changes
pkgs/build-support/fetchgit/default.nix
, rev ? "HEAD"

, # SRI hash.
hash ? ""
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be called narHash for consistency with builtins.fetchX (NixOS/nix@d4df99a).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should I rename it in 267c8d6 as well?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, probably. We could also rename everything to hash, but that's ambiguous in functions that take both a file and a NAR hash...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense to call it narHash if it can also be used for outputHashMode = "flat"? If I understand the docs correctly, hash of the NAR is only used for FOD when using recursive output hash mode.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

functions that take both a file and a NAR hash

I am not sure what you mean.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alternately, we could use outputHash directly, as that is what gets passed to Nix in the end.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we are using SRI hashes, using integrity attribute name like in HTML might actually fit even better.

This was referenced Feb 14, 2020
Merged
Closed
This was referenced Feb 28, 2020
Merged
Merged
@jtojnar
Copy link
Member Author

jtojnar commented Mar 2, 2020

Until the attribute name issue is clarified, I cherry-picked the fetchpatch issue into #81564 since it is very annoying.

@jtojnar jtojnar marked this pull request as draft June 1, 2020 05:20
@worldofpeace worldofpeace mentioned this pull request Aug 17, 2020
Merged
10 tasks
@worldofpeace
Copy link
Contributor

cc @edolstra

I think it's really important we decide what the attribute for #79987 (comment) is going to be. There's already some stigma on base64 encoding and sri in nixpkgs #89423 #89423 and this is awfully difficult, for example, to explain to people that they can't use hash in fetchFromGitHub correctly because if they set fetchSubmodules = true the fetcher will be fetchgit which doesn't support hash yet...

@edolstra
Copy link
Member

narHash is probably best. hash can be misunderstood as a commit hash, and integrity doesn't say whether it's a NAR hash or a flat file hash.

@jtojnar
Copy link
Member Author

jtojnar commented Aug 17, 2020
edited
Loading

@edolstra What attribute will we use for flat files then?

And why do we need to distinguish between NAR hash and flat file hash by the checksum attribute? It could just be hidden inside the fetch functions and switched through outputHashMode as before.

@edolstra
Copy link
Member

Flat file hashes are used in many places, e.g. fetchurl.

@jtojnar
Copy link
Member Author

jtojnar commented Aug 17, 2020
edited
Loading

@edolstra I meant what attribute would we use for flat file hashes if we want to distinguish them from NAR hashes. fechurl currently uses sha256 for both and used a separate recursiveHash attribute as a switch between the two outputHashModes. So it does not say whether it's a NAR hash or a flat file hash any more that integrity would.

@jtojnar jtojnar mentioned this pull request Feb 8, 2021
Closed
10 tasks
@kira-bruneau kira-bruneau mentioned this pull request Feb 26, 2021
Merged
10 tasks
@kira-bruneau
Copy link
Contributor

kira-bruneau commented Feb 28, 2021
edited
Loading

I agree with @jtojnar. Choosing between a file hash or a NAR hash seems like more of an implementation detail of the fetcher, rather than something that always needs to be specified by the package maintainer. I think if we required maintainers to declare it explicitly, it would cause a lot of confusion, especially for beginners.

For example, this would use a file hash:

fetchurl {
  url = "https://releases.nixos.org/nix/nix-2.3.10/install";
  hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
}

But this would require a NAR hash:

fetchurl {
  url = "https://releases.nixos.org/nix/nix-2.3.10/install";
  executable = true;
  narHash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
}

@jtojnar jtojnar mentioned this pull request Mar 15, 2021
Closed
@jtojnar jtojnar mentioned this pull request May 15, 2021
Merged
10 tasks
@samuelgrf samuelgrf mentioned this pull request Jul 4, 2021
Merged
11 tasks
@stale
Copy link

stale bot commented Aug 28, 2021

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Aug 28, 2021
@jtojnar jtojnar mentioned this pull request Jun 10, 2022
Merged
13 tasks
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/is-it-ok-to-ask-for-hash-attribute-and-sri-hash-when-reviewing-prs-that-update-packages/20493/3

@winterqt winterqt mentioned this pull request Oct 7, 2022
Closed
@Artturin
Copy link
Member

support for hashes added in 5c2b1b6

@Artturin Artturin closed this Dec 13, 2022
@Artturin Artturin deleted the fetchgit-sri branch April 7, 2023 16:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edolstra edolstra edolstra left review comments

@FRidh FRidh FRidh left review comments

@philiptaron philiptaron Awaiting requested review from philiptaron philiptaron will be requested when the pull request is marked ready for review philiptaron is a code owner

Assignees
No one assigned
Labels
2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md 6.topic: fetch 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@jtojnar @worldofpeace @edolstra @kira-bruneau @nixos-discourse @Artturin @FRidh @ryantm