Author: eelco
Date: Mon Dec 6 00:53:36 2010
New Revision: 24985
URL: https://svn.nixos.org/websvn/nix/?rev=24985&sc=1
Log:
* Verify whether downloaded NARs have the right hash. This prevents
propagating corrupt store paths.
Modified:
release/trunk/channels/mirror-channel.pl
Modified: release/trunk/channels/mirror-channel.pl
==============================================================================
--- release/trunk/channels/mirror-channel.pl Sun Dec 5 19:54:27 2010
(r24984)
+++ release/trunk/channels/mirror-channel.pl Mon Dec 6 00:53:36 2010
(r24985)
@@ -8,7 +8,7 @@
# job.
use strict;
-use readmanifest;
+use NixManifest;
use GeneratePatches;
use File::Basename;
use File::stat;
@@ -40,7 +40,6 @@
my $manifestPath = "$dstChannelPath/MANIFEST";
my $tmpDir = tempdir("nix-mirror-XXXXXXX", TMPDIR => 1, CLEANUP => 1);
-print STDERR "$tmpDir\n";
open LOCK, ">$dstChannelPath/.lock" or die;
@@ -108,7 +107,14 @@
print "downloading $srcURL\n";
my $dstFileTmp = "$narPath/.tmp.$$.nar.$dstName";
system("$curl '$srcURL' > $dstFileTmp") == 0 or die "failed to
download `$srcURL'";
- system("bunzip2 -t $dstFileTmp &> /dev/null") == 0 or die
"downloaded file is not a bzip2 file!";
+
+ # Verify whether the downloaded file is a bzipped NAR file
+ # that matches the NAR hash given in the manifest.
+ system("bunzip2 < $dstFileTmp > $tmpDir/out") == 0 or die
"downloaded file is not a bzip2 file!";
+ my $hash = `nix-hash --type sha256 --flat $tmpDir/out`;
+ chomp $hash;
+ die "hash mismatch in downloaded file `$srcURL'" if "sha256:$hash"
ne $file->{narHash};
+
rename($dstFileTmp, $dstFile) or die "cannot rename $dstFileTmp";
}
_______________________________________________
nix-commits mailing list
[email protected]
http://mail.cs.uu.nl/mailman/listinfo/nix-commits
