Vim-nixhash: a neovim plugin to fix the fake TOFU sha256 in your nix files

symphorien · February 6, 2022, 8:56pm

I grew tired of manually filling sha256 with all zeros, then running nix-build and copy pasting the correct hash back into neovim. I also never took the time to learn the various nix-prefetch* utilities, and which ones work with what fetchers. Also it is easy to copy paste incorrectly when there are several hashes to fix.

I am proud to announce a neovim plugin that does the job for you: instead of running :!nix-build -A foo and copy pasting the hash from the error message, run :NixHash nix-build -A foo and have the hash fixed in the currently opened buffer!

Atemu · February 6, 2022, 9:45pm

Is there a similar plugin for Emacs?

arianvp · February 7, 2022, 9:15am

I recently discovered that assigning sha256 = ""; has the same effect as padding with all zeroes. Been improvement in terms of usability.

symphorien · February 7, 2022, 6:22pm

I have no idea, sorry.

abbe · February 8, 2022, 7:01am

There is also lib.fakeSha256 which can be used in place of all zeros.

teto · February 8, 2022, 10:54am

Instead or rather complementary to passing an attribute name, could it use a crude approach in visual mode, like I select the block of code in src = ... and with a regex the plugin identifies the hash as e1089b093caaf088e9ce0c0cda1a062d89ee3c08, and updates the sha256 field.

  tasty-golden = prev.haskell.lib.addBuildDepend (prev.haskell.lib.overrideSrc hprev.tasty-golden {
        src = prev.fetchzip {
          url = "https://github.com/novadiscovery/tasty-golden/archive/e1089b093caaf088e9ce0c0cda1a062d89ee3c08.tar.gz";
          sha256 = "sha256-CJe7ziVkm1oThH4WqozDbti2aHFXKHf47jN0Hr4L4iM=";
        };

In an ideal world, we would have a treesitter grammar that can identify the block and return the relevant component.

kalekseev · February 8, 2022, 11:24am

symphorien · February 8, 2022, 5:43pm

Instead or rather complementary to passing an attribute name, could it use a crude approach in visual mode, like I select the block of code in src = ... and with a regex the plugin identifies the hash as e1089b093caaf088e9ce0c0cda1a062d89ee3c08 , and updates the sha256 field.

I don’t understand. The way it currently works is that when it finds a got: aaaaaa wanted: bbbbb error message in the command output it replaces aaaaa by bbbbb. So there is no need to point it to the right src = ... block.

teto · February 8, 2022, 8:05pm

So there is no need to point it to the right src = ... block.

but if there is no attribute name or way to reference the package how can you update it ?

With a visual selection in nvim, the user could tell the plugin “no need for an attribute, juste look for revision and hash in this selection”

symphorien · February 8, 2022, 9:11pm

but if there is no attribute name or way to reference the package how can you update it ?

You can run :NixHash nix-build -A anything_that_depends_on_it. If you can’t do that, then your project does not depend on this hash so it’s dead code.

nomeata · February 10, 2022, 7:37pm

I usually just do r0 i.e. change one character to zero. Good enough to invalidate it, and the chances of a collision are the same as with the all-zero-hash

nyarly · February 11, 2022, 11:52pm

@symphorien I’ve just installed and used this to update my home-manager. I anticipate it being lifechanging; thank you so much. Automatically replacing the broken hashes is such a benefit, that “just replace with an empty string” completely fails to address. So good!

I’ve opened a couple issues on the github repo, but I didn’t want them to come across as criticism. Happy to produce PRs if wanted.