On 1/23/20 8:06 PM, Charles Duffy wrote:
A potentially unforeseen consequence:
At present, it is possible (albeit with use of tools that aren't as of present date publicly released, something I hope to change in the future) to use the Nix build system to build Arch packages (with some caveats, but generally manageable ones for folks who don't need these packages to be what Nix calls "pure").
Nix identifies downloaded content by hash -- only build-time processes which can state a cryptographically strong checksum of their intended output prior to time of invocation are allowed to connect to the internet during the build process itself. cksum is not supported by Nix, whereas the other checksums supported by Arch are.
Thus, moving to cksum -- quite aside from other concerns, which have been argued outside this thread -- would encourage an increased proportion of Arch packages not be buildable by Nix. Wait... does that mean Nix considers md5 to be "cryptographically strong"? o_O
-- Eli Schwartz Bug Wrangler and Trusted User