[Nix-dev] fetchgit - why sha256 protection?
Nicolas Pierron
nicolas.b.pierron at gmail.com
Mon Nov 19 07:25:27 CET 2012
On Sun, Nov 18, 2012 at 10:24 PM, Nicolas Pierron
<nicolas.b.pierron at gmail.com> wrote:
> On Sun, Nov 18, 2012 at 10:11 PM, Marc Weber <marco-oweber at gmx.de> wrote:
>> Isn't it enough to depend on the git's hash value, eg
>>
>> fetchgit { git_hash = "xxx"; url = "yyy"; }
>>
>> Is compromising a git repository (even using shallow clones) that much
>> easier than compromising a .tar.* file protected by sha256?
>
> That would be better because there is no trivial way to check the
> sha256 when making the Nix expression.
> How does git distinguish a branchnamed after a revision?
We should also enforce that provided hashes have all digits, to
prevent easier attack.
--
Nicolas Pierron
http://www.linkedin.com/in/nicolasbpierron - http://nbp.name/
More information about the nix-dev
mailing list