Merge pull request #189241 from SuperSandro2000/git-full-hash

doc/contributing: enforce full commit hashes on github
author: Anderson Torres <torres.anderson.85@protonmail.com> 2022-09-05 21:26:05 -0300
committer: GitHub <noreply@github.com> 2022-09-05 21:26:05 -0300
commit: 6be0f0e057dc23d8b1f7d1a414ebb75d0672fb4c (patch)
tree: 68977c1bfe60fbb6996a5739b4faf52ea52a85fc
parent: febd3083b8cbfec3f317f4e88ab01fce17a1ee2e (diff)
parent: be09c1638d116b477c312ec61d55c304f1beb3ee (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/doc/contributing/coding-conventions.chapter.md b/doc/contributing/coding-conventions.chapter.md
index 6473fa151a43..585b8d3679c9 100644
--- a/doc/contributing/coding-conventions.chapter.md
+++ b/doc/contributing/coding-conventions.chapter.md
@@ -453,6 +453,9 @@ In the file `pkgs/top-level/all-packages.nix` you can find fetch helpers, these
   }
   ```
 
+When fetching from GitHub, commits must always be referenced by their full commit hash. This is because GitHub shares commit hashes among all forks and returns `404 Not Found` when a short commit hash is ambiguous. It already happens for some short, 6-character commit hashes in `nixpkgs`.
+It is a practical vector for a denial-of-service attack by pushing large amounts of auto generated commits into forks and was already [demonstrated against GitHub Actions Beta](https://blog.teddykatz.com/2019/11/12/github-actions-dos.html).
+
 Find the value to put as `sha256` by running `nix-shell -p nix-prefetch-github --run "nix-prefetch-github --rev 1f795f9f44607cc5bec70d1300150bfefcef2aae NixOS nix"`. 
 
 ## Obtaining source hash {#sec-source-hashes}
author	Anderson Torres <torres.anderson.85@protonmail.com>	2022-09-05 21:26:05 -0300
committer	GitHub <noreply@github.com>	2022-09-05 21:26:05 -0300
commit	6be0f0e057dc23d8b1f7d1a414ebb75d0672fb4c (patch)
tree	68977c1bfe60fbb6996a5739b4faf52ea52a85fc
parent	febd3083b8cbfec3f317f4e88ab01fce17a1ee2e (diff)
parent	be09c1638d116b477c312ec61d55c304f1beb3ee (diff)