investigate hashes appearing in fods being broken #409

New issue

Open

opened 2024-06-21 22:12:29 +00:00 by jade · 1 comment

jade commented

2024-06-21 22:12:29 +00:00

Owner

ostensibly embr found a regression here, and we should reproduce and look at it: 9cd2094bcf

ostensibly embr found a regression here, and we should reproduce and look at it: https://codeberg.org/gorgon/gorgon/commit/9cd2094bcfba486754c3ab6101d4b8d8fa785073

puck commented

2024-06-21 22:34:21 +00:00

Owner

It's a regression, but not one I'm very sure of how to fix sensibly. Some time after 2.3, Nix closed the soundness hole of allowing references for FOD store paths. This makes sense, as they aren't actually encoded in the store path, and as such are impurities. However, the zip being fetched contains the store path for builder.sh, which is not changed very often; and thus the hash of that store path collides with the hash of builder.sh used in nixpkgs' fetchurl and fetchzip.

A quick repro of the bug is as follows:

(import <nixpkgs> {}).fetchurl { url = "file:///${builtins.toFile "meow" "g0gn91m56b267ncx05w93kihyqia39cm"}"; }

It's a regression, but not one I'm very sure of how to fix sensibly. Some time after 2.3, Nix closed the soundness hole of allowing references for FOD store paths. This makes sense, as they aren't actually encoded in the store path, and as such are impurities. However, the zip being fetched contains the store path for `builder.sh`, which is not changed very often; and thus the hash of that store path collides with the hash of `builder.sh` used in nixpkgs' `fetchurl` and `fetchzip`. A quick repro of the bug is as follows: ```nix (import <nixpkgs> {}).fetchurl { url = "file:///${builtins.toFile "meow" "g0gn91m56b267ncx05w93kihyqia39cm"}"; } ```