It's terrible hash function under any assumption of malicious actors. It would be nice in an upcoming Nix release to print out a warning that a fixed-output derivation is using md5 and instruct people to move to something more sensible. Then perhaps in a couple of releases we could break it altogether except after someone opts in.
SHA1 isn't great, but isn't as bad. It would be nice to set some precedent on what to do about that, too.
copumpkin
All 15 comments
:+1:
edolstra
on 15 Feb 2016
:+1: for deprecation (and noting in what version the support will be removed).
domenkozar
on 15 Feb 2016
I'm not one for release schedules, but perhaps add it as a warning to 1.12, make it an error that can be overridden with e.g., --allow-insecure-md5 in 1.13, and make it unoverridable in 1.14. The error message in 1.14 onwards would tell you what to do instead and will stay for foreseeable future, so it won't just say something unfriendly like "unknown hash: md5".
copumpkin
on 15 Feb 2016
We should start by phasing md5 out _in nixpkgs_. After that is done, we can remove support in nix but I don't think that part is really important as it's a kind of opt-in.
vcunat
on 15 Feb 2016
It seemed easier to start from Nix since there are a dozen fixed-output
derivation functions that could each warn. Perhaps we can jump in at the
stdenv/generic.nix level, now that I think about it?
On Mon, Feb 15, 2016 at 12:54 VladimÃr ÄŒunát [email protected]
wrote:
We should start by phasing md5 out _in nixpkgs_. After that is done, we
can remove support in nix but I don't think that part is really important
as it's a kind of opt-in.—
Reply to this email directly or view it on GitHub
https://github.com/NixOS/nix/issues/802#issuecomment-184323926.
copumpkin
on 15 Feb 2016
I see, changing nix is probably the easiest way to produce warnings in all these cases.
vcunat
on 15 Feb 2016
:+1:
@vcunat some people use private packages.
davidak
on 15 Feb 2016
chromium/update.nix appears to use an md5 collision to achieve something.
ivan
on 31 Aug 2016
@edolstra would you support adding an annoying warning message for md5 for the next release or two, and then removing support for it after that?
copumpkin
on 12 Sep 2016
For backward compatibility, it would be better to deprecate/remove it in Nixpkgs. Otherwise we would lose the ability to build packages from old Nixpkgs versions.
edolstra
on 12 Sep 2016
md5 support was removed in NixOS 17.03 so we're 4 releases without by now.
FRidh
on 4 Nov 2018
It would still make sense to deprecate md5 in Nix itself?
domenkozar
on 28 Nov 2019
No, we need to keep it for backward compatibility. We don't want to lose the ability to build old Nix expressions.
edolstra
on 29 Nov 2019
I wasn't clear enough. I'd only add a warning when md5 is used like so:
filename:line:col: md5 fixed-output derivations are deprecated
I suppose we're finally ready for that: https://github.com/nixos/nixpkgs/commit/46cf3a51269 ;-)
vcunat
on 29 Nov 2019
Related issues
edolstra
·
96Comments
lilyball
·
67Comments
matthewbauer
·
64Comments
copumpkin
·
41Comments
vcunat
·
159Comments
Most helpful comment
chromium/update.nix appears to use an md5 collision to achieve something.