[Nix#8982] Nix accepts invalid SRI hashes (MD5 and SHA-1) #114
Labels
No labels
Area/build-packaging
Area/cli
Area/evaluator
Area/flakes
Area/language
Area/profiles
Area/protocol
Area/releng
Area/remote-builds
Area/repl
Area/store
bug
Cross Compilation
devx
docs
Downstream Dependents
E/easy
E/hard
E/help wanted
E/reproducible
E/requires rearchitecture
imported
Needs Langver
OS/Linux
OS/macOS
performance
regression
release-blocker
RFD
stability
Status
blocked
Status
invalid
Status
postponed
Status
wontfix
testing
testing/flakey
ux
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: lix-project/lix#114
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Upstream-Issue: NixOS/nix#8982
Describe the bug
Nix accepts
outputHash
values that resemble the SRI hash format but use invalidhash-algo
values, such asmd5
orsha1
. (hash-algo
refering to the term in the SRI grammar)Steps To Reproduce
Evaluate the following expressions:
Expected behavior
Nix should error out, probably with something like « 'md5' is not an SRI hash algorithm. »
nix-env --version
outputnix-env (Nix) 2.17.0
Additional context
hash-algo
andbase64-value
, as used in its grammar. In turn, the CSP spec defineshash-algo
to be one ofsha256
,sha384
orsha512
.Priorities
Add 👍 to issues you find important.
We don't think these have any usage, even though they are in principle accepted. Nixpkgs rejects them, for instance:
1cabb1c445/pkgs/test/stdenv/default.nix (L145-L152)