From: Tobias Geerinckx-Rice via Bug reports for GNU Guix <bug-guix@gnu.org>
To: mail@brendan.scot
Cc: 58561@debbugs.gnu.org
Subject: bug#58561: Source hash mismatch with aggregator + possible guix bug with hashes.
Date: Sun, 16 Oct 2022 11:45:00 +0200 [thread overview]
Message-ID: <87y1tgulqk.fsf@nckx> (raw)
In-Reply-To: <0df50579-d645-5a43-d558-4c49e503bb57@brendan.scot>
[-- Attachment #1: Type: text/plain, Size: 1609 bytes --]
Hi Brendan,
Oh! This is a fun one!
Brendan Tildesley 写道:
> However what concerned me more is that when I look in the source
> code
> it looks like this:
>
> (sha256
> (base32
> "9yy5c29zxpli4cddknmdvjkgii3j7pvw6lhwqfrqjc8jh83gm8f8"))
>
>
> Notice how at the start its a '9', not a '1'?
[…]
> Is there a bug with how guix is reading/writing sha256 hashes?
It's… not a bug. It's the opposite, kind of, although maybe
(probably) Guix could (should) reject clearly bogus input like
this.
What's happening is this:
In what can be described only as a bizarre coincidence, sha256
produces hashes that are 256 bits long.
Base32¹ encodes 5 bits per character. Our ‘hash’ strings are
currently 52 characters long, meaning they encode 260 bits.
If you poke around Guix, you'll notice that every valid base32
‘sha256’ hash starts with a 0 or a 1, because those 4 leftmost
bits are never used, and hence set to zero.
In the case of this "9…" ‘hash’ (which was random data, I guess?),
Guix still reads only 256 bits of the 260, and ignores those 4
‘extra’ leftmost bits.
When it later prints the hash, it converts those 256 bits back to
base32, now padded with zeroes, and you see a ‘hash’ starting with
1.
What Guix could do is refuse to continue when it detects set
higher bits, as they always indicate programmer error.
Kind regards,
T G-R
1: Guix uses ‘nix-base32’ which uses a slightly different alphabet
from the more common base32 variant, but is otherwise identical in
operation.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]
next prev parent reply other threads:[~2022-10-16 10:05 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-16 3:42 bug#58561: Source hash mismatch with aggregator + possible guix bug with hashes Brendan Tildesley
2022-10-16 4:13 ` bug#58561: [PATCH 1/2] gnu: akregator: Correct source hash 'Brendan Tildesley
2022-10-16 4:33 ` bug#58561: [PATCH 2/2] gnu: akregator: Fix build 'Brendan Tildesley
2022-10-16 5:39 ` phodina via Bug reports for GNU Guix
2022-10-17 11:42 ` Marius Bakke
2022-10-17 21:19 ` Brendan Tildesley
2022-10-16 9:45 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix [this message]
2022-10-17 8:49 ` bug#58561: Source hash mismatch with aggregator + possible guix bug with hashes zimoun
2022-10-17 8:44 ` zimoun
2022-10-17 18:29 ` phodina via Bug reports for GNU Guix
2023-05-13 1:56 ` Brendan Tildesley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y1tgulqk.fsf@nckx \
--to=bug-guix@gnu.org \
--cc=58561@debbugs.gnu.org \
--cc=mail@brendan.scot \
--cc=me@tobias.gr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).