lassulus has quit [Ping timeout: 246 seconds]
lassulus has joined #nixos-security
pie__ has joined #nixos-security
<pie__> sooo pinning like this doesnt actually check the hash?
<pie__> is there anything that ensures integrity of the fetched nixpkgs
<gchristensen> fetchTarball?
<gchristensen> fetchTarball will check the hash, yes
<gchristensen> builtins.fetchGit can accept a sha256 hash, too
<gchristensen> what is the problem you're seeing?
<pie__> * if using getchgit
<pie__> ah ok
<pie__> im not seeing any problem
<pie__> it just bothered me that there's no sha256 in the example
<pie__> :p
<gchristensen> fix it :)
<pie__> yeah I should do that
<pie__> ...later 'xD
<gchristensen> do you not consider git revesion IDs to be unforgable?
<pie__> does git check them?
<gchristensen> mine does
<gchristensen> I think the default does
<pie__> if it checks them then im happier
<gchristensen> for a time, Linux's repo didn't fsck
<qyliss^work> I used to check every repo, but had to stop before Rails has a commit with a broken timestamp in it
<gchristensen> lol
<pie__> blacklist? :/
<gchristensen> the only repo I've cloned which didn't fsck was linux
MichaelRaskin has joined #nixos-security
pie__ has quit [Ping timeout: 255 seconds]
erictapen has quit [Ping timeout: 255 seconds]
erictapen has joined #nixos-security