Https:// - source links

Why is nix 2.3.16 and nix 2.7 linked to the same source code?

Because the file containing the meta attribute is the same.

Probably the actual derivations just differ in the sources passed in from somewhere else.

Yes, as expected, the actual definitions per attribute all use a common function to build from different sources:

If I understand this right, it means that it can be totally different from the source code shown (because it is fetching anything from the URL)

Not sure what you mean.

The source link in the package search is meant to point to the package source, the nix expression used to build the package.

And the download can’t really be anything, it has to match the given content hash.

sure the hash has to match but everyone could change the URL and hash to texlive

  • it could have “nothing” to do with the code / source where it is liked to

Yes, you have to trust here that it is correct. You have this problem everywhere, nix, pacman, portage, Deb, RPM, you name it.

It is TOFU , trust on first use…

However, you can always download the source code yourself, and hash it, and see if it gives you joy.

Nix won’t stop this kinda of trust issue, but it sure hell hard to ‘cover it up’, unless git history can be rewritten, and that’s a different kind of problem!.

I had mismatch hash at some point, fetching a tarball. Alarms bells rang! After investigation it seems the source release had the same name but had different code (a patch). It was minor so ‘they’ just released it under the same version and name. Probably to avoid breakage somewhere.

Did the maintainer know that is was different source? or did someone, something, change it? Was it a deep cybersecurity trust problem, an accident or by design. Did the web server serve me a different file that one time because it knew who ‘i was’… I’d rather have some kind of TOFU hashing rather that non at all.

The world is not reproducible, nix fights this everyday, are you going to join the fight ;-).

Good or bad? only time will tell.