stdenv.mkDerivation: Reject MD5 hashes
While there is no fetcher or builder (in nixpkgs) that takes an `md5` parameter, for some inscrutable reason the nix interpreter accepts the following: ```nix fetchurl { url = "https://www.perdu.com"; hash = "md5-rrdBU2a35b2PM2ZO+n/zGw=="; } ``` Note that neither MD5 nor SHA1 are allowed by the syntax of SRI hashes.
This commit is contained in:
parent
c8c3423a38
commit
87c22100a6
@ -335,6 +335,8 @@
|
||||
|
||||
- `services.kea.{ctrl-agent,dhcp-ddns,dhcp,dhcp6}` now use separate runtime directories instead of `/run/kea` to work around the runtime directory being cleared on service start.
|
||||
|
||||
- `mkDerivation` now rejects MD5 hashes.
|
||||
|
||||
## Other Notable Changes {#sec-release-23.11-notable-changes}
|
||||
|
||||
- The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration.
|
||||
|
@ -165,6 +165,17 @@ let
|
||||
|
||||
, ... } @ attrs:
|
||||
|
||||
# Policy on acceptable hash types in nixpkgs
|
||||
assert attrs ? outputHash -> (
|
||||
let algo =
|
||||
attrs.outputHashAlgo or (lib.head (lib.splitString "-" attrs.outputHash));
|
||||
in
|
||||
if algo == "md5" then
|
||||
throw "Rejected insecure ${algo} hash '${attrs.outputHash}'"
|
||||
else
|
||||
true
|
||||
);
|
||||
|
||||
let
|
||||
# TODO(@oxij, @Ericson2314): This is here to keep the old semantics, remove when
|
||||
# no package has `doCheck = true`.
|
||||
|
Loading…
Reference in New Issue
Block a user