mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-28 01:43:15 +00:00
Merge pull request #255150 from nbraud/throw-md5-into-the-Sun
stdenv.mkDerivation: Reject MD5 in outputHash
This commit is contained in:
commit
d8bb0bda47
@ -335,6 +335,8 @@
|
||||
|
||||
- `services.kea.{ctrl-agent,dhcp-ddns,dhcp,dhcp6}` now use separate runtime directories instead of `/run/kea` to work around the runtime directory being cleared on service start.
|
||||
|
||||
- `mkDerivation` now rejects MD5 hashes.
|
||||
|
||||
## Other Notable Changes {#sec-release-23.11-notable-changes}
|
||||
|
||||
- The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration.
|
||||
|
@ -165,6 +165,17 @@ let
|
||||
|
||||
, ... } @ attrs:
|
||||
|
||||
# Policy on acceptable hash types in nixpkgs
|
||||
assert attrs ? outputHash -> (
|
||||
let algo =
|
||||
attrs.outputHashAlgo or (lib.head (lib.splitString "-" attrs.outputHash));
|
||||
in
|
||||
if algo == "md5" then
|
||||
throw "Rejected insecure ${algo} hash '${attrs.outputHash}'"
|
||||
else
|
||||
true
|
||||
);
|
||||
|
||||
let
|
||||
# TODO(@oxij, @Ericson2314): This is here to keep the old semantics, remove when
|
||||
# no package has `doCheck = true`.
|
||||
|
@ -142,6 +142,15 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
# Check that mkDerivation rejects MD5 hashes
|
||||
rejectedHashes = lib.recurseIntoAttrs {
|
||||
md5 =
|
||||
let drv = runCommand "md5 outputHash rejected" {
|
||||
outputHash = "md5-fPt7dxVVP7ffY3MxkQdwVw==";
|
||||
} "true";
|
||||
in assert !(builtins.tryEval drv).success; {};
|
||||
};
|
||||
|
||||
test-inputDerivation = let
|
||||
inherit (stdenv.mkDerivation {
|
||||
dep1 = derivation { name = "dep1"; builder = "/bin/sh"; args = [ "-c" ": > $out" ]; system = builtins.currentSystem; };
|
||||
|
Loading…
Reference in New Issue
Block a user