about summary refs log tree commit diff
path: root/nixpkgs/pkgs/stdenv/generic
diff options
context:
space:
mode:
authorAlyssa Ross <hi@alyssa.is>2023-10-31 22:19:45 +0100
committerAlyssa Ross <hi@alyssa.is>2023-10-31 22:19:45 +0100
commit78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc (patch)
treefd9cfb92edfaa37c919be8d24063b8a6c6d94c83 /nixpkgs/pkgs/stdenv/generic
parent7e0c8fe656bbc2fcbdfc3e03a367d2c6ff389769 (diff)
parent0cbe9f69c234a7700596e943bfae7ef27a31b735 (diff)
downloadnixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.tar
nixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.tar.gz
nixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.tar.bz2
nixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.tar.lz
nixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.tar.xz
nixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.tar.zst
nixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.zip
Merge commit '0cbe9f69c234a7700596e943bfae7ef27a31b735' into HEAD
Diffstat (limited to 'nixpkgs/pkgs/stdenv/generic')
-rw-r--r--nixpkgs/pkgs/stdenv/generic/make-derivation.nix11


1 files changed, 11 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/stdenv/generic/make-derivation.nix b/nixpkgs/pkgs/stdenv/generic/make-derivation.nix
index beba687e788a..d235ffefaab4 100644
--- a/nixpkgs/pkgs/stdenv/generic/make-derivation.nix
+++ b/nixpkgs/pkgs/stdenv/generic/make-derivation.nix
@@ -165,6 +165,17 @@ let
 
 , ... } @ attrs:
 
+# Policy on acceptable hash types in nixpkgs
+assert attrs ? outputHash -> (
+  let algo =
+    attrs.outputHashAlgo or (lib.head (lib.splitString "-" attrs.outputHash));
+  in
+  if algo == "md5" then
+    throw "Rejected insecure ${algo} hash '${attrs.outputHash}'"
+  else
+    true
+);
+
 let
   # TODO(@oxij, @Ericson2314): This is here to keep the old semantics, remove when
   # no package has `doCheck = true`.

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-11 11:17:05 +0000