Change `git` inputs to use SRI hashes

Question

Change `git` inputs to use SRI hashes

Opened this issue 5 months ago · 4 comments

Currently npins uses legacy Nix base32 hashes for fetchGit. I would like to be able to passnarHash to fetchGit to get it to hit cache for any user connecting to the same the Nix store rather than just getting cached in the Nix git cache, but Nix only allows SRI hashes for that parameter.

I think the easiest fix here is to make npins store SRIs for such hashes, since I don't think the base32 hashes could actually be used for any purpose in the current state anyway.

Answer 1 · 2024-05-05T10:47:50.000Z

I like the idea if that improves the caching / substitution situation. Out of interest: Do you know the minimum Nix version required for these?

We should probably also support migration of the hashes. At least only change "updated" hashes to not cause issues with "dormant" dependencies? (e.g. fetching huge repos again just for the sake of hashing)

Answer 2 · 2024-06-19T18:14:10.000Z

Between 2.3 and 2.4, it's in 2.4. I cannot find it in 2.3, at least, narHash is not a supported argument of 2.3's fetchGit.

Answer 3 · 2024-06-19T18:14:51.000Z

In addition, nix hash to-sri probably exist only in 2.4+, if you want to implement the migration or initialization using #87 code. An alternative is to rely on Tvix to generate those without any dependency upon Nix, but well, you already know all of that :P.

Answer 4 · 2024-06-25T15:17:25.000Z

SRI hashes were added to Nix with NixOS/nix@6024dc1. That appears to have shipped in Nix 2.2. That commit changes the fetchurl builtin; fetchgit was changed in NixOS/nix@6024dc1 (I think) which shipped in 2.4, it looks like.