Comments (3)
Thread renamed to reflect further thoughts as I wrote it out. I feel like the toplevel version info should really, really include the keygrip at the very least of the key that it links to. More ideally it would be the checksum though, so I can juts fix this the way I've fixed it for Nightly.
from nixpkgs-mozilla.
Looking at this again, I see now that the key itself is pinned, and the checksums are stored next to a signature file that can be verified with the key. Which seems fine, but is still unfortunate for Nix, I'd have to pre-cache the checksum+checksumSig hashes for each variant. :/
from nixpkgs-mozilla.
4 things are downloaded:
- the gpg key (checked using hard coded checksum)
- the
firefox_versions.json
file. (https only) - the checksum file. [beta / release] (verified using the gpg key) [nightly] (https only)
- the firefox binary. [beta / release] (verified using the verified checksum) [nightly] (verified using the gpg key)
Despite our best effort, this would remain impure as the sha of the checksum file is unknown.
I am definitely in favor of adding whatever script is needed to generate the equivalent of a lock file to be committed to another branch of this repository, in order to hard-code the latest checksums of the day, as long as this does not pollute the history of the repository.
Pollution of the history of the repository, is from my point of view a security issue, as someone who might want to review the changes might miss the changes which are altering the logic.
Note: This repository will migrate soon.
from nixpkgs-mozilla.
Related Issues (20)
- Should git-cinnabar be included into firefox development overlay? HOT 2
- Undefined variable 'phlay' HOT 1
- Firefox fails to compile because -fPIC is passed to `as` HOT 1
- firefox-nightly fails to use vaapi with mesa's radeon driver on NixOS HOT 1
- example in README.md doesn't work with rust-toolchain.toml file HOT 1
- `couldn't find remote ref refs/heads/master` when building `/nix/store/<hash>-channel-rust-1.55.0.toml.drv` HOT 2
- Suddenly can't rebuild anymore because "wrapper called with unexpected argument 'browserName'" HOT 2
- How to get aarch64 Firefox Nightly builds?
- Install different versions of Firefox side by side. HOT 2
- rustChannelOf doesn't error on argument name typos
- rr fails to build when using this overlay with newer nixpkgs HOT 5
- Building `rustChannelOf({...}).rust-src` from `rust-overlay.nix` errors. HOT 6
- What to do about stdarch, being submodule, not being in source tarball? HOT 1
- Firefox started to crash in some situations HOT 1
- Deprecation warning: "rustPlatform.rust.cargo is deprecated. Use cargo instead." May be easy fix, but... HOT 2
- archive.mozilla.org is returning a bad SSL cert
- Firefox Nightly is segfaulting (SIGSEGV) after most recent update; installing firefox-beta fixes it HOT 2
- Invalid version
- firefox-129.0a1.en-US.linux-x86_64.buildhub.json is missing from https://download.cdn.mozilla.net/pub/firefox/nightly/latest-mozilla-central/
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nixpkgs-mozilla.