nix-prefetch-git sha256 requirement with using a revision over a tag

Question

question

when using nix-prefetch-git with a --rev, do we actually really need a sha256 also?

assumption

i understand this requirement when using git with tags since tags can be reattached to a different rev.

so my current theory is that we distrust the way git fetches or processes the files, done by passing the additional sha256 hash. following this concept one can compute a hash in a way that git will never be able to have an influence on.

correct?

nix-prefetch-git example

nix-prefetch-git https://github.com/ugorji/go --rev 9831f2c3ac1068a78f50
Leeres Git-Repository in /tmp/git-checkout-tmp-bPibjanm/go-9831f2c/.git/ initialisiert
remote: Counting objects: 2220, done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 2220 (delta 4), reused 5 (delta 2), pack-reused 2208
Empfange Objekte: 100% (2220/2220), 2.39 MiB | 2.86 MiB/s, Fertig.
Löse Unterschiede auf: 100% (1706/1706), Fertig.
Von https://github.com/ugorji/go
 * [neuer Branch]    master     -> origin/master
 * [neues Tag]       v.1.1-beta -> v.1.1-beta
 * [neues Tag]       v1.1       -> v1.1
Zu neuem Branch 'fetchgit' gewechselt
removing `.git'...

git revision is 9831f2c3ac1068a78f50999a30db84270f647af6
path is /nix/store/b0z5c3m25jd60rhdyqdqr8vwjcy3q4gj-go-9831f2c
git human-readable version is v1.1
Commit date is 2018-01-12 09:19:27 -0500
hash is 0qxdq599sjwb03znlxy634mdnmfl90770wf1kk37dhzll6i84vkr
{
  "url": "https://github.com/ugorji/go",
  "rev": "9831f2c3ac1068a78f50999a30db84270f647af6",
  "date": "2018-01-12T09:19:27-05:00",
  "sha256": "0qxdq599sjwb03znlxy634mdnmfl90770wf1kk37dhzll6i84vkr",
  "fetchSubmodules": true
}

Answer 1

Your assumption that the hash is redundant is correct. Since git uses a content-addressable store, we have the guarantee that the data you retrieve matches the commit hash. There was only a nix-specific technical reason why this was needed with fetchgit.

Now that nix 2.0 has been released the function builtins.fetchGit is built-in into nix, instead of specified via a nixpkgs derivation, as fetchgit was.

So, once you upgrade to nix 2.0, there is no need anymore for specifying the sha256 hash.

NB: This surprisingly also includes the impure case when only specifying branches or tags instead of commit hashes. This can be used when your use case does not require reproducibility, but you rather want the most recent commit of a certain branch. You need not fear losing your precious reproducibility however, since there is pure-mode, which requires the revision.