#nixos-security on 2019-04-03

09:00 lassulus has quit [Ping timeout: 246 seconds]

09:02 lassulus has joined #nixos-security

09:06 pie__ has joined #nixos-security

15:11 <pie__> sooo pinning like this doesnt actually check the hash? https://nixos.wiki/wiki/FAQ/Pinning_Nixpkgs

15:11 <pie__> is there anything that ensures integrity of the fetched nixpkgs

15:11 <gchristensen> fetchTarball?

15:12 <gchristensen> fetchTarball will check the hash, yes

15:12 <gchristensen> builtins.fetchGit can accept a sha256 hash, too

15:12 <gchristensen> what is the problem you're seeing?

15:12 <pie__> * if using getchgit

15:12 <pie__> ah ok

15:12 <pie__> im not seeing any problem

15:13 <pie__> it just bothered me that there's no sha256 in the example

15:13 <pie__> :p

15:13 <gchristensen> fix it :)

15:13 <pie__> yeah I should do that

15:14 <pie__> ...later 'xD

15:14 <gchristensen> do you not consider git revesion IDs to be unforgable?

15:14 <pie__> does git check them?

15:14 <gchristensen> mine does

15:14 <gchristensen> I think the default does

15:14 <pie__> if it checks them then im happier

15:15 <gchristensen> for a time, Linux's repo didn't fsck

16:25 <qyliss^work> I used to check every repo, but had to stop before Rails has a commit with a broken timestamp in it

16:26 <gchristensen> lol

16:29 <pie__> blacklist? :/

16:30 <gchristensen> the only repo I've cloned which didn't fsck was linux

17:24 MichaelRaskin has joined #nixos-security

17:40 pie__ has quit [Ping timeout: 255 seconds]

23:24 erictapen has quit [Ping timeout: 255 seconds]

23:26 erictapen has joined #nixos-security