diff --git a/doc/coding-conventions.xml b/doc/coding-conventions.xml
index 88ce6281a253..d2c7a1baae9c 100644
--- a/doc/coding-conventions.xml
+++ b/doc/coding-conventions.xml
@@ -814,7 +814,7 @@ args.stdenv.mkDerivation (args // {
There are multiple ways to fetch a package source in nixpkgs. The general
- guideline is that you should package sources with a high degree of
+ guideline is that you should package reproducible sources with a high degree of
availability. Right now there is only one fetcher which has mirroring
support and that is fetchurl. Note that you should also
prefer protocols which have a corresponding proxy environment variable.
@@ -883,7 +883,7 @@ src = fetchFromGitHub {
Preferred source hash type is sha256. There are several ways to get it.
-
+
Prefetch URL (with nix-prefetch-XXX
@@ -903,7 +903,7 @@ src = fetchFromGitHub {
This works well when you've upgraded existing package version and want to
- find out new hash, but is useless if package doesn't have top-level
+ find out new hash, but is useless if package can't be accessed by
attribute or package has multiple sources (.srcs,
architecture-dependent sources, etc).
@@ -919,7 +919,7 @@ src = fetchFromGitHub {
A little nuance is that nix-prefetch-* tools produce
hash encoded with base32, but upstream usually provides
hexadecimal (base16) encoding. Fetchers understand both
- formats. Nixpkgs doesn't stadartize on any one format.
+ formats. Nixpkgs does not standardize on any one format.
You can convert between formats with nix-hash, for example:
@@ -941,40 +941,56 @@ $ nix-hash --type sha256 --to-base32 HASH
correct hash from error Nix prints.
- You can use lib.fakeSha256,
- lib.fakeSha512 or any other fake hash for this purpose.
+ For package updates it is enough to change one symbol to make hash fake.
+ For new packages, you can use lib.fakeSha256,
+ lib.fakeSha512 or any other fake hash.
+
+
This is last resort method when reconstructing source URL is non-trivial
and nix-prefetch-url -A isn't applicable (for example,
one of kodi dependencies). The easiest way then
would be replace hash with a fake one and rebuild. Nix build will fail and
- error message will contain wanted hash.
+ error message will contain desired hash.
+ This method has security problems. Check below for details.
-
+
Obtaining hashes securely
-
- From security point of view first four methods are most secure.
- nix-prefetch-url does verify TLS certificates for
- https:// URLs. TLS certificates aren't
- verified in fake hash method even when there is https://
- URL. Obviously, getting hashes for http://
- URLs isn't secure, so recheck using some other network that hash is same.
-
-
-
- Upstream provided hashes are not secure if obtained over
- http://.
-
-
-
- Nixpkgs build farm can act as an additional verification step. When
- compromised hash was obtained, package may be rejected on Hydra due to hash
- mismatch.
+ Let's say Man-in-the-Middle (MITM) sits close to your network. Then instead of fetching
+ source you can fetch malware, and instead of source hash you get hash of malware. Here are
+ security considerations for this scenario:
+
+
+
+ http:// URLs are not secure to prefetch hash from;
+
+
+
+
+ hashes from upstream (in method 3) should be obtained via secure protocol;
+
+
+
+
+ https:// URLs are secure in methods 1, 2, 3;
+
+
+
+
+ https:// URLs are not secure in method 5. When obtaining hashes
+ with fake hash method, TLS checks are disabled. So
+ refetch source hash from several different networks to exclude MITM scenario.
+ Alternatively, use fake hash method to make Nix error, but instead of extracting
+ hash from error, extract https:// URL and prefetch it
+ with method 1.
+
+
+