Commit 87c22100 authored by nicoo's avatar nicoo
Browse files

stdenv.mkDerivation: Reject MD5 hashes 

While there is no fetcher or builder (in nixpkgs) that takes an `md5` parameter,
for some inscrutable reason the nix interpreter accepts the following:
```nix
fetchurl {
  url = "https://www.perdu.com";
  hash = "md5-rrdBU2a35b2PM2ZO+n/zGw==";
}
```

Note that neither MD5 nor SHA1 are allowed by the syntax of SRI hashes.
parent c8c3423a

nixos/doc/manual/release-notes/rl-2311.section.md

+2 −0
Original line number Diff line number Diff line
@@ -335,6 +335,8 @@ 


- `services.kea.{ctrl-agent,dhcp-ddns,dhcp,dhcp6}` now use separate runtime directories instead of `/run/kea` to work around the runtime directory being cleared on service start.



- `mkDerivation` now rejects MD5 hashes.



## Other Notable Changes {#sec-release-23.11-notable-changes}



- The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration.

pkgs/stdenv/generic/make-derivation.nix

+11 −0
Original line number Diff line number Diff line
@@ -165,6 +165,17 @@ let 


, ... } @ attrs:



# Policy on acceptable hash types in nixpkgs

assert attrs ? outputHash -> (

  let algo =

    attrs.outputHashAlgo or (lib.head (lib.splitString "-" attrs.outputHash));

  in

  if algo == "md5" then

    throw "Rejected insecure ${algo} hash '${attrs.outputHash}'"

  else

    true

);



let

  # TODO(@oxij, @Ericson2314): This is here to keep the old semantics, remove when

  # no package has `doCheck = true`.