[Nix-dev] fetchgit - why sha256 protection?
Michael Raskin
7c6f434c at mail.ru
Mon Nov 19 17:49:08 CET 2012
>Of course running nix-prefetch-git is an option, however checking
>whether a store path representing { url = ..; hash = .. } already exists
>is harder. If you run nix-prefetch-git twice it will fetch twice
>(waste). I haven't looked for options.
nix-store --check-validity $(nix-store -q --outputs $(nix-instantiate expression.nix -A src))
?
Also, I do use fresh checkouts as src for various Nix expressions. I
just added a repository set to chroot-accessible locations and do what
you say (telling only git hashes to Nix).
>If nix could handle this, I could just create a .nix file and I'd always
>get what I want: the source - if it exists I would not have to bother at
>all.
>So comment on whether you see huge security risks using git url and
>git's hash only.
It is not so much security risks as it is about special case being a
separate source of bugs.
More information about the nix-dev
mailing list