fetchgit: add SRI hash support #79987
Conversation
ofborg
bot
added
6.topic: fetch
10.rebuild-darwin: 0
| , rev ? "HEAD" | ||
|
|
||
| , # SRI hash. | ||
| hash ? "" |
There was a problem hiding this comment.
This should be called narHash for consistency with builtins.fetchX (NixOS/nix@d4df99a).
There was a problem hiding this comment.
Should I rename it in 267c8d6 as well?
There was a problem hiding this comment.
Yes, probably. We could also rename everything to hash, but that's ambiguous in functions that take both a file and a NAR hash...
There was a problem hiding this comment.
Does it make sense to call it narHash if it can also be used for outputHashMode = "flat"? If I understand the docs correctly, hash of the NAR is only used for FOD when using recursive output hash mode.
There was a problem hiding this comment.
functions that take both a file and a NAR hash
I am not sure what you mean.
There was a problem hiding this comment.
Alternately, we could use outputHash directly, as that is what gets passed to Nix in the end.
There was a problem hiding this comment.
Since we are using SRI hashes, using integrity attribute name like in HTML might actually fit even better.
jtojnar
force-pushed
the
fetchgit-sri
branch
from
a63aed3 to
d1d0961
Compare
|
Until the attribute name issue is clarified, I cherry-picked the |
|
cc @edolstra I think it's really important we decide what the attribute for #79987 (comment) is going to be. There's already some stigma on base64 encoding and sri in nixpkgs #89423 #89423 and this is awfully difficult, for example, to explain to people that they can't use |
|
|
|
@edolstra What attribute will we use for flat files then? And why do we need to distinguish between NAR hash and flat file hash by the checksum attribute? It could just be hidden inside the fetch functions and switched through |
|
Flat file hashes are used in many places, e.g. |
|
@edolstra I meant what attribute would we use for flat file hashes if we want to distinguish them from NAR hashes. |
ryantm
added
2.status: merge conflict
Including SRI hash support
to sync it with fetchgit
ofborg
bot
removed
the
2.status: merge conflict
|
I agree with @jtojnar. Choosing between a file hash or a NAR hash seems like more of an implementation detail of the fetcher, rather than something that always needs to be specified by the package maintainer. I think if we required maintainers to declare it explicitly, it would cause a lot of confusion, especially for beginners. For example, this would use a file hash: fetchurl {
url = "https://releases.nixos.org/nix/nix-2.3.10/install";
hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
}But this would require a NAR hash: fetchurl {
url = "https://releases.nixos.org/nix/nix-2.3.10/install";
executable = true;
narHash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
} |
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
|
support for hashes added in 5c2b1b6 |
Motivation for this change
Sync fetchgit's hash support with fetchurl's to add support for SRI hashes (introduced in 267c8d6).
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)