stdenv.mkDerivation: Reject MD5 hashes

While there is no fetcher or builder (in nixpkgs) that takes an `md5` parameter, for some inscrutable reason the nix interpreter accepts the following: ```nix fetchurl { url = "https://www.perdu.com"; hash = "md5-rrdBU2a35b2PM2ZO+n/zGw=="; } ``` Note that neither MD5 nor SHA1 are allowed by the syntax of SRI hashes.
2023-09-14 16:45:25 +00:00 · 2023-09-14 16:45:25 +00:00 · 87c22100a6
commit 87c22100a6
parent c8c3423a38
2 changed files with 13 additions and 0 deletions
--- a/nixos/doc/manual/release-notes/rl-2311.section.md
+++ b/nixos/doc/manual/release-notes/rl-2311.section.md
@ -335,6 +335,8 @@

 - `services.kea.{ctrl-agent,dhcp-ddns,dhcp,dhcp6}` now use separate runtime directories instead of `/run/kea` to work around the runtime directory being cleared on service start.

+- `mkDerivation` now rejects MD5 hashes.
+
 ## Other Notable Changes {#sec-release-23.11-notable-changes}

 - The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration.
--- a/pkgs/stdenv/generic/make-derivation.nix
+++ b/pkgs/stdenv/generic/make-derivation.nix
@ -165,6 +165,17 @@ let

 , ... } @ attrs:

+# Policy on acceptable hash types in nixpkgs
+assert attrs ? outputHash -> (
+  let algo =
+    attrs.outputHashAlgo or (lib.head (lib.splitString "-" attrs.outputHash));
+  in
+  if algo == "md5" then
+    throw "Rejected insecure ${algo} hash '${attrs.outputHash}'"
+  else
+    true
+);
+
 let
  # TODO(@oxij, @Ericson2314): This is here to keep the old semantics, remove when
  # no package has `doCheck = true`.