Many PRs updating packages keep the
sha256 attribute but use an SRI hash. Others replace an existing SRI hash with a sha256 hash again.
I understand that
hash = "SRI-hash"; is the format nixpkgs is migrating to, so, is it OK to ask PR authors to use that format when helping with reviewing PRs?
Some big contributors do not do the change, and I feel like I would be overstepping, too, if I ask them.
My guess is, that quite often automatic tooling is used, that didn’t get updated yet.
Also: I was not aware that
hash is prefered over
sha256 now. I only was aware about the introduction and preference about
So to spread the word, I am in favor of mentioning it in reviews, and point out where the deprecation is actually written down.
The issue is that
hash is not supported by all fetchers and maybe it might be renamed in the future:
hash since fetchgit: support hash parameter alongside sha256 · NixOS/nixpkgs@5c2b1b6 · GitHub
fetchurl supports it since years ago, and there is also
cargoHash for Rust, and somebody added
vendorHash for Flutter.
Go is still using
vendorSha256, and like you said, some fetchers like
fetchsvn do not support it, but I see the main ones, that already support it, being updated to