[Nix-dev] fetchgit - why sha256 protection?
Marc Weber
marco-oweber at gmx.de
Mon Nov 19 07:11:46 CET 2012
Isn't it enough to depend on the git's hash value, eg
fetchgit { git_hash = "xxx"; url = "yyy"; }
Is compromising a git repository (even using shallow clones) that much
easier than compromising a .tar.* file protected by sha256?
In anyway you have to find a hash collision.
A lot of foreign tools (eg bundler for ruby) just store the url and the
hash. Packaging github like projects would be a lot easier if passing a
hash would be enough.
Marc Weber
More information about the nix-dev
mailing list