On Sun, Nov 18, 2012 at 10:24 PM, Nicolas Pierron <nicolas.b.pier...@gmail.com> wrote: > On Sun, Nov 18, 2012 at 10:11 PM, Marc Weber <marco-owe...@gmx.de> wrote: >> Isn't it enough to depend on the git's hash value, eg >> >> fetchgit { git_hash = "xxx"; url = "yyy"; } >> >> Is compromising a git repository (even using shallow clones) that much >> easier than compromising a .tar.* file protected by sha256? > > That would be better because there is no trivial way to check the > sha256 when making the Nix expression. > How does git distinguish a branchnamed after a revision?
We should also enforce that provided hashes have all digits, to prevent easier attack. -- Nicolas Pierron http://www.linkedin.com/in/nicolasbpierron - http://nbp.name/ _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev