[Nix-dev] fetchgit - why sha256 protection?

Michael Raskin 7c6f434c at mail.ru
Mon Nov 19 17:49:08 CET 2012


>Of course running nix-prefetch-git is an option, however checking
>whether a store path representing { url = ..; hash = .. } already exists
>is harder. If you run nix-prefetch-git twice it will fetch twice
>(waste). I haven't looked for options.

nix-store --check-validity $(nix-store -q --outputs $(nix-instantiate expression.nix -A src))
?

Also, I do use fresh checkouts as src for various Nix expressions. I 
just added a repository set to chroot-accessible locations and do what
you say (telling only git hashes to Nix).

>If nix could handle this, I could just create a .nix file and I'd always
>get what I want: the source - if it exists I would not have to bother at
>all.

>So comment on whether you see huge security risks using git url and
>git's hash only.

It is not so much security risks as it is about special case being a 
separate source of bugs.






More information about the nix-dev mailing list