Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pythonPackages.mpv: 0.1 #11620

Merged
merged 1 commit into from
Dec 12, 2015
Merged

pythonPackages.mpv: 0.1 #11620

merged 1 commit into from
Dec 12, 2015

Conversation

Profpatsch
Copy link
Member

No description provided.

FRidh
FRidh reviewed Dec 11, 2015
View reviewed changes
pkgs/top-level/python-packages.nix
src = pkgs.fetchurl {
url = "https://pypi.python.org/packages/source/m/mpv/${name}.tar.gz";
md5 = "48114a00be2dc8898a88b3a253362fae";
};
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sha256?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pypi does md5. As do most packages in this file. Also, what’s wrong with them in this case?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both PyPI and nixpkgs repository still use md5 a lot. That is not good. Why?
The idea of the hash is to know for sure you have the file that you want to have. If a source file in the cache or upstream was changed, you want to know that.

Unfortunately, multiple files can be created with the same hash. Doing this on purpose is a collision attack. A collision attack with an md5 hash can be done in mere seconds if I am correct. With SHA-1 and SHA-2(56) it will take a lot longer.

Last month support for SHA-512 was added to Nix. I suppose we soon should start using SHA-512 then.

@jagajaga
Copy link
Member

And also please rename commit to pythonPackages.mpv: init at 0.1.

@Profpatsch
Copy link
Member Author

@jagajaga Done.

jagajaga added a commit that referenced this pull request Dec 12, 2015
@jagajaga
Merge pull request #11620 from Profpatsch/python-mpv
8908fa8 
pythonPackages.mpv: 0.1
@jagajaga jagajaga merged commit 8908fa8 into NixOS:master Dec 12, 2015
This was referenced Dec 28, 2020
Open
Open
Open
This was referenced Mar 14, 2021
Open
Open
Open
This was referenced Nov 4, 2022
Open
Open
Open
@Centaurioun Centaurioun mentioned this pull request Dec 25, 2022
Closed
@kaocher82 kaocher82 mentioned this pull request Dec 25, 2022
Open
@snyk-bot snyk-bot mentioned this pull request Dec 26, 2022
Open
@Centaurioun Centaurioun mentioned this pull request Jan 9, 2023
Closed
This was referenced Jan 9, 2023
Open
Open
Open
This was referenced Nov 28, 2023
Open
Open
Open
This was referenced May 14, 2024
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
6.topic: python
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Profpatsch @jagajaga @FRidh @domenkozar