diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index bd0d74a8885b..c3cb495498df 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -335,6 +335,8 @@ - `services.kea.{ctrl-agent,dhcp-ddns,dhcp,dhcp6}` now use separate runtime directories instead of `/run/kea` to work around the runtime directory being cleared on service start. +- `mkDerivation` now rejects MD5 hashes. + ## Other Notable Changes {#sec-release-23.11-notable-changes} - The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration. diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index beba687e788a..d235ffefaab4 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -165,6 +165,17 @@ let , ... } @ attrs: +# Policy on acceptable hash types in nixpkgs +assert attrs ? outputHash -> ( + let algo = + attrs.outputHashAlgo or (lib.head (lib.splitString "-" attrs.outputHash)); + in + if algo == "md5" then + throw "Rejected insecure ${algo} hash '${attrs.outputHash}'" + else + true +); + let # TODO(@oxij, @Ericson2314): This is here to keep the old semantics, remove when # no package has `doCheck = true`. diff --git a/pkgs/test/stdenv/default.nix b/pkgs/test/stdenv/default.nix index 0fa87cccc219..3882eb2b625c 100644 --- a/pkgs/test/stdenv/default.nix +++ b/pkgs/test/stdenv/default.nix @@ -142,6 +142,15 @@ in ''; }; + # Check that mkDerivation rejects MD5 hashes + rejectedHashes = lib.recurseIntoAttrs { + md5 = + let drv = runCommand "md5 outputHash rejected" { + outputHash = "md5-fPt7dxVVP7ffY3MxkQdwVw=="; + } "true"; + in assert !(builtins.tryEval drv).success; {}; + }; + test-inputDerivation = let inherit (stdenv.mkDerivation { dep1 = derivation { name = "dep1"; builder = "/bin/sh"; args = [ "-c" ": > $out" ]; system = builtins.currentSystem; };