search

NixOS / ofborg

@ofborg tooling automation https://monitoring.ofborg.org/dashboard/db/ofborg
https://ofborg.org
MIT License
232 stars 166 forks source link

Detect url/sha256 mismatch #647

Open cyounkins opened 1 year ago

cyounkins commented 1 year ago

If a maintainer updates a version (and thus the URL) but fails to update the sha256, all tests will pass. Is there any way we can detect this?

Example: https://github.com/NixOS/nixpkgs/pull/215890

See also #429

SuperSandro2000 commented 1 year ago

Detecting this is not that trivial and should be caught in review.

nixos-discourse commented 3 weeks ago

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/bootstrap-files-updates-amplifiy-exploit-of-any-package-into-exploit-of-every-package/50534/5