[RFC 0131] Enforce the usage of SRI hashes in Nixpkgs #131
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| --- | ||
| feature: sri-hashes | ||
| start-date: 2022-07-25 | ||
| author: Winter | ||
| co-authors: (find a buddy later to help out with the RFC) | ||
| shepherd-team: (names, to be nominated and accepted by RFC steering committee) | ||
| shepherd-leader: (name to be appointed by RFC steering committee) | ||
| related-issues: (will contain links to implementation PRs) | ||
| --- | ||
|
|
||
| # Summary | ||
| [summary]: #summary | ||
|
|
||
| Use SRI hashes and the `hash` parameter for fetchers. | ||
|
|
||
| # Motivation | ||
| [motivation]: #motivation | ||
|
|
||
| Currently in Nixpkgs, the hash formats that are used in parameters to fetchers range from SRI and base-32 (the most common ones) to hex. In addition to this, packages use the algorithm-specific arguments (`sha256`, `sha512`, etc.) or the generic `hash` argument at random. This creates inconsistencies that we'd rather not have. | ||
|
There was a problem hiding this comment. Subresource Integrity, whose hashes look like There was a problem hiding this comment.
Why? This is not a motivation, just a claim. Using the different hash encodings genuinely has value, for example I frequently just copy over the base16 hash from a There was a problem hiding this comment. I think a link to what SRI is in the RFC would be good to have. I also didn't know what SRI was. There was a problem hiding this comment.
I agree with this point, but at the same time most people use either the SRI hashes given by Nix's hash mismatch errors (which I now realize is only in 2.4), or convert those to base-32 (the default in 2.3 and below). There was a problem hiding this comment. @vojta001 That's why these interfaces tend to have an
Well that's actually a very good point: There is no stable interface for converting hashes into the SRI format, because There was a problem hiding this comment.
no need to convert the hash to base64 SRI hashes only require a prefix: {
sha256 = "1cc9110705165dc09dd09974dd7c0b6709c9351d6b6b1cef5a711055f891dd0f";
sha256 = "sha256-1cc9110705165dc09dd09974dd7c0b6709c9351d6b6b1cef5a711055f891dd0f";
hash = "sha256-1cc9110705165dc09dd09974dd7c0b6709c9351d6b6b1cef5a711055f891dd0f";
}base16 hashes are found with
sha256 is de-facto standard in nixpkgs, There was a problem hiding this comment.
MD5 was de facto standard no more than a decade ago. Also, this was not about "good enough algorithms", but about a better format for the expression - namely, There was a problem hiding this comment.
@winterqt could you add something more specific here, considering this is the whole motivation for the RFC? The discussion above has brought up some more points:
There was a problem hiding this comment. @milahu: conversion would be needed because SRI is currently only accepting base64. However, it would be relatively easy to change: NixOS/nixpkgs#199660 |
||
|
|
||
| # Detailed design | ||
| [design]: #detailed-design | ||
|
|
||
| 1. Require all new packages to use SRI hashes + `hash` when possible | ||
| 2. Do a treewide migration for the majority of cases (single fetcher in `src`, using a fetcher that supports `hash` and SRI hashes (`fetchFromGitHub`, `fetchurl`, etc.)) to `hash` + SRI hashes | ||
|
|
||
| # Drawbacks | ||
| [drawbacks]: #drawbacks | ||
|
|
||
| - Some fetchers still don't support SRI hashes (i.e. [`fetchgit`](https://github.com/NixOS/nixpkgs/pull/79987), which is blocked due to [this discussion](https://github.com/NixOS/nixpkgs/pull/79987#discussion_r378735698) not being resolved) | ||
winterqt marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| # Alternatives | ||
| [alternatives]: #alternatives | ||
|
|
||
| - Do nothing: further inconsistencies will continue to be introduced | ||
|
There was a problem hiding this comment. I think there are a number of alternatives. Different rules can be considered. For each of the following formats it could be decided to allow/disallow/preferred:
I've gathered there are a number of ways these rules can be 'enforced':
There was a problem hiding this comment.
I'm mentioning this option, as at the moment PRs are being reviewed where the reviewers suggest their own 'opinion' on the matter; even though there is no real rule. One outcome of this RFC could be to just let it be. |
||
|
|
||
| # Unresolved questions | ||
| [unresolved]: #unresolved-questions | ||
|
|
||
| - How can we do the treewide migration efficently? | ||
| - Text replacement for the majority of cases, with an AST-based solution for others? | ||
| - Do we want to eventually deprecate the use of `sha256`, `sha512`, etc. in fetchers that support SRI hashes, leading to their eventual removal? | ||
|
There was a problem hiding this comment. We can deprecate them without removing them. |
||
| - This would require updating every script that uses these arguments, and would cause breakage for any usage of them out-of-tree; we'd need to weigh the benefits of this | ||
|
|
||
| # Future work | ||
| [future]: #future-work | ||
|
|
||
| Currently none. | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"SRI hash" needs a reference link with a definition and globally this RFC needs some more context to be explained.
FWIW, since I became aware that this kind of hash was preferred, I have tried to use them more systematically, but I'm annoyed by
nix-prefetch-urlnot generating this type of hash (at least all the way to Nix 2.12) and not knowing how to convert a hash generated bynix-prefetch-urlinto an SRI hash.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI, for conversion I'm using
EDIT: or you could use
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! But another thing that is becoming annoying to me lately is to be forced to activate the
nix-commandexperimental feature for more and more basic things that I cannot avoid.Another solution that I've found meanwhile was
openssl dgst -sha256 -binary /path/to/file | openssl base64 -A, but it's not as convenient.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would rather view it as a missing feature of
nix-hashthat needs to be implemented to get this RFC merged. In other words, we should haveand
Update: I just created NixOS/nix#7690. Please take a look.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! And thanks to you, I also learned that, in the meantime, I can use
nix --extra-experimental-features nix-command file to-sri --type sha256 .... I didn't realize that I don't need to activate the experimental feature globally, and this is already better than nothing.