search

nix-community / npmlock2nix

nixify npm based packages [maintainer=@andir]
Apache License 2.0
130 stars 42 forks source link

unknown hash algorithm - fetchGit - branch name is used as commit hash #137

Closed milahu closed 2 years ago

milahu commented 2 years ago

actual

builtins.fetchGit {
  allRefs = true;
  rev = "v0.1.19-auth0_1";
  url = "https://github.com/auth0/xmldom";
}
# error: unknown hash algorithm 'v0.1.19'

expected

builtins.fetchGit {
  allRefs = true;
  ref = "v0.1.19-auth0_1"; # branch name
  rev = "3376bc7beb5551bf68e12b0cc6b0e3669f77d392"; # git commit hash
  url = "https://github.com/auth0/xmldom";
}

the actual call is produced by npmlock2nix from this package-lock.json

{
  "name": "web-overleaf",
  "version": "0.1.4",
  "lockfileVersion": 1,
...
        "xmldom": {
          "version": "github:auth0/xmldom#3376bc7beb5551bf68e12b0cc6b0e3669f77d392",
          "from": "github:auth0/xmldom#v0.1.19-auth0_1",
          "dev": true
        },
milahu commented 2 years ago

trace

githubSourceHashMap is empty, so sourceHashFunc returns null, so hash is null in buildTgzFromGitHub

   buildTgzFromGitHub = { name, org, repo, rev, ref, hash ? null }:
    let
     src =
        if hash != null then
          fetchFromGitHub
            {
              owner = org;
              inherit repo;
              inherit rev;
              sha256 = hash; # FIXME: what if sha3?
            } else
          fetchGitWrapped {
            url = "https://github.com/${org}/${repo}";
            inherit rev ref;
            allRefs = true;
          };

... which is a variant of https://discourse.nixos.org/t/nix-sha256-is-bug-not-feature-solution-a-global-cas-filesystem/15791 → fetchGit should be able to verify the files by the git commit hash, and not require a (redundant) sha256 hash

→ closing as wontfix / out of scope