ofborg icon indicating copy to clipboard operation
ofborg copied to clipboard

Published 20 hours ago verified publisher icon NixOS

Detect url/sha256 mismatch

Open cyounkins opened this issue 1 year ago • 2 comments

If a maintainer updates a version (and thus the URL) but fails to update the sha256, all tests will pass. Is there any way we can detect this?

Example: https://github.com/NixOS/nixpkgs/pull/215890

See also #429

cyounkins avatar Jul 09 '23 00:07 cyounkins

Detecting this is not that trivial and should be caught in review.

SuperSandro2000 avatar Jul 09 '23 20:07 SuperSandro2000

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/bootstrap-files-updates-amplifiy-exploit-of-any-package-into-exploit-of-every-package/50534/5

nixos-discourse avatar Aug 13 '24 11:08 nixos-discourse