boostrap fetchurl: Add SRI support

2 years ago · 0b3e7f063c
parent f8594cd431
commit 0b3e7f063c
4 changed files with 15 additions and 3 deletions
--- a/lib/minver.nix
+++ b/lib/minver.nix
@ -1,2 +1,2 @@
 # Expose the minimum required version for evaluating Nixpkgs
-"2.2"
+"2.3"
--- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@ -255,6 +255,11 @@
  <section xml:id="sec-release-22.11-incompatibilities">
    <title>Backward Incompatibilities</title>
    <itemizedlist>
+      <listitem>
+        <para>
+          Nixpkgs now requires Nix 2.3 or newer.
+        </para>
+      </listitem>
      <listitem>
        <para>
          The <literal>isCompatible</literal> predicate checking CPU
--- a/nixos/doc/manual/release-notes/rl-2211.section.md
+++ b/nixos/doc/manual/release-notes/rl-2211.section.md
@ -94,6 +94,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).

 ## Backward Incompatibilities {#sec-release-22.11-incompatibilities}

+- Nixpkgs now requires Nix 2.3 or newer.
+
 - The `isCompatible` predicate checking CPU compatibility is no longer exposed
  by the platform sets generated using `lib.systems.elaborate`. In most cases
  you will want to use the new `canExecute` predicate instead which also
--- a/pkgs/build-support/fetchurl/boot.nix
+++ b/pkgs/build-support/fetchurl/boot.nix
@ -4,12 +4,17 @@ let mirrors = import ./mirrors.nix; in

 { url ? builtins.head urls
 , urls ? []
-, sha256
+, sha256 ? ""
+, hash ? ""
 , name ? baseNameOf (toString url)
 }:

+# assert exactly one hash is set
+assert hash != "" || sha256 != "";
+assert hash != "" -> sha256 == "";
+
 import <nix/fetchurl.nix> {
-  inherit system sha256 name;
+  inherit system hash sha256 name;

  url =
    # Handle mirror:// URIs. Since <nix/fetchurl.nix> currently