diff options
| author | Sandro Jäckel <sandro.jaeckel@sap.com> | 2022-09-01 12:11:54 +0200 |
|---|---|---|
| committer | Sandro Jäckel <sandro.jaeckel@gmail.com> | 2022-09-04 00:50:35 +0200 |
| commit | be09c1638d116b477c312ec61d55c304f1beb3ee (patch) | |
| tree | 0434fba224552b9d32a258617b6d27f9454b5470 | |
| parent | 02ffeed7a195c82beed71262a4cc90932fafdfd0 (diff) | |
doc/contributing: enforce full commit hashes on github
| -rw-r--r-- | doc/contributing/coding-conventions.chapter.md | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/doc/contributing/coding-conventions.chapter.md b/doc/contributing/coding-conventions.chapter.md index 6473fa151a43..585b8d3679c9 100644 --- a/doc/contributing/coding-conventions.chapter.md +++ b/doc/contributing/coding-conventions.chapter.md @@ -453,6 +453,9 @@ In the file `pkgs/top-level/all-packages.nix` you can find fetch helpers, these } ``` +When fetching from GitHub, commits must always be referenced by their full commit hash. This is because GitHub shares commit hashes among all forks and returns `404 Not Found` when a short commit hash is ambiguous. It already happens for some short, 6-character commit hashes in `nixpkgs`. +It is a practical vector for a denial-of-service attack by pushing large amounts of auto generated commits into forks and was already [demonstrated against GitHub Actions Beta](https://blog.teddykatz.com/2019/11/12/github-actions-dos.html). + Find the value to put as `sha256` by running `nix-shell -p nix-prefetch-github --run "nix-prefetch-github --rev 1f795f9f44607cc5bec70d1300150bfefcef2aae NixOS nix"`. ## Obtaining source hash {#sec-source-hashes} |