- edited description
mmonit release artifacts change hash regularly
I made a nix expression for building mmonit for my server:
{ stdenv, autoPatchelfHook, coreutils }:
stdenv.mkDerivation rec {
pname = "mmonit";
version = "3.7.12";
src = builtins.fetchTarball {
url = "https://mmonit.com/dist/mmonit-${version}-linux-x64.tar.gz";
sha256 = "sha256:0bpn05zzzdg6plnza6q79bjswxwamjvzi0b51f5c77zsc5pnlvq0";
};
nativeBuildInputs = [
autoPatchelfHook
];
buildInputs = [
coreutils
];
dontConfigure = true;
dontBuild = true;
installPhase = ''
runHook preInstall
mkdir -p $out
cp -r $src/{bin,conf,doc,docroot,lib,upgrade} $out
cp -r $src/db $out/db-template
ln -s /var/lib/mmonit/logs $out/logs
ln -s /var/lib/mmonit/db $out/db
runHook postInstall
'';
}
However, when I try to build it on another machine later, it fails. This is because the tarballs released on the mmonit website get changed regularly. I used diffoscope to see the change:
$ diffoscope /nix/store/3i8dir8scrz1l30fg8lj6i0zplrwl4qy-source /nix/store/6zak8139m6x42vjfqhiysd402f6smzv0-source
--- /nix/store/3i8dir8scrz1l30fg8lj6i0zplrwl4qy-source
+++ /nix/store/6zak8139m6x42vjfqhiysd402f6smzv0-source
│ --- /nix/store/3i8dir8scrz1l30fg8lj6i0zplrwl4qy-source/conf
├── +++ /nix/store/6zak8139m6x42vjfqhiysd402f6smzv0-source/conf
│ │ --- /nix/store/3i8dir8scrz1l30fg8lj6i0zplrwl4qy-source/conf/license.xml
│ ├── +++ /nix/store/6zak8139m6x42vjfqhiysd402f6smzv0-source/conf/license.xml
│ │ │ --- /nix/store/3i8dir8scrz1l30fg8lj6i0zplrwl4qy-source/conf/license.xml
│ │ ├── +++ /nix/store/6zak8139m6x42vjfqhiysd402f6smzv0-source/conf/license.xml
│ │ │ @@ -1,6 +1,6 @@
│ │ │ <?xml version="1.0" encoding="utf-8"?>
│ │ │ +<License owner="M/Monit Trial License">RWHF4G37EI-JP4OL76I54-WCVZ7ME6LW-KNKTFPA7LX-45NLVXAEHE
│ │ │ + TG64MK2FPH-LNWTQHR765-YXDN2RUUCO-4XMONVVEDT-KZ4HDMI3ZH
│ │ │ + XLKCWK5O4J-HOAYAYOOVO-E5UQSIMFIV-S35TY7VZWX-XN3RBBNUIH
│ │ │ + UVB55MNYLE-IPXIHYNCNK-YFXVZKSZB6-RUQQTJKYAW-A6YZ5R7TND
│ │ │ + KRITS</License>
│ │ │ -<License owner="M/Monit Trial License">MLM2MC2QXC-K4B3DV665E-YYGZODO7RG-H7IV7BP6W6-YSIMKXSGHJ
│ │ │ - OAMRLOZMUX-GE53JMF7FE-M3BHSOA5FI-FTO2REL3LH-RNOXD6NTDU
│ │ │ - XQNONFAICB-J7SW6NEDGA-UUFHG6IG7Z-URHUWTKW7O-T3O7BVFAC7
│ │ │ - HF4KNQGQM6-AGWDOVQF22-EEDPBIUPAX-YWTGMPKX3V-IKUQFWSRPQ
│ │ │ - S7QJO</License>
So it seems that the trial license gets updated over time. It seems like this is a nice convenience feature for people installing mmonit for the first time, but it creates a software reproducibility and maybe minor security issue, in that I cannot trust that an artifact at a given URL will have a consistent hash over time.
One possible solution would be to publish the trial license separately, or maybe dynamically fetch a trial license if one does not exist?
Comments (2)
-
reporter -
repo owner Hello Ryan, yes, you’re right, the embedded trial license is updated regularly, so it changes the package checksum.
We’ll modify the trial license in the future release. We have a framework for external trial license already, but we use it just for the MacOS package.
- Log in to comment