Skip to content

Get rid of md5 support for fixed-output derivations #4491

@domenkozar

Description

@domenkozar

We're in 2014 and even universities have a course where students forge md5 hashes of files.

Biggest usage of md5 hashes in nixpkgs is python, followed by libreoffice (scripted install).

$ git grep "md5 ="|grep -v libreoffice | grep -v python-|grep -v redhat|grep -v suse|wc -l                                                                                                        
141

$ git grep "md5 =" pkgs/top-level/python-packages.nix | wc -l
273

Observations:

nix-prefetch- should print out multiple hashes together with fetch functions supporting and verifying all of specified hashes

Q/A:

it is considered best practice to use it when that's what upstream provides

That's a very bad security practice. It trades user security for few seconds of maintainer time.

TODO

  • libreoffice uses md5 during generation
  • pkgs/games/steam/runtime-generated.nix uses md5 during generation
  • 91 other derivations
  • deprecate md5 support
  • revert 2ca8833

Metadata

Metadata

Assignees

Labels

0.kind: enhancementAdd something new or improve an existing system.1.severity: blockerThis is preventing another PR or issue from being completed1.severity: securityIssues which raise a security issue, or PRs that fix one3.skill: sprintableA larger issue which is split into distinct actionable tasks6.topic: pythonPython is a high-level, general-purpose programming language.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions