From f57185db953670d6e4f334b7ad2dc79a96d703c4 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 13 Mar 2017 13:31:44 +0100
Subject: [PATCH 1/2] fetch-*: remove md5 support

fixes #4491
---
 pkgs/build-support/fetchdarcs/default.nix  |  9 ++++++---
 pkgs/build-support/fetchegg/default.nix    |  7 +++++--
 pkgs/build-support/fetchgit/default.nix    |  8 +++++---
 pkgs/build-support/fetchhg/default.nix     | 10 +++++-----
 pkgs/build-support/fetchnuget/default.nix  |  5 ++++-
 pkgs/build-support/fetchsvn/default.nix    |  7 +++++--
 pkgs/build-support/fetchsvnssh/default.nix | 12 ++++++++----
 pkgs/build-support/fetchurl/default.nix    | 10 ++++++----
 8 files changed, 44 insertions(+), 24 deletions(-)

diff --git a/pkgs/build-support/fetchdarcs/default.nix b/pkgs/build-support/fetchdarcs/default.nix
index 3c2e0524eea5..2644a20d0a53 100644
--- a/pkgs/build-support/fetchdarcs/default.nix
+++ b/pkgs/build-support/fetchdarcs/default.nix
@@ -1,13 +1,16 @@
 {stdenv, darcs, nix}: {url, rev ? null, context ? null, md5 ? "", sha256 ? ""}:
 
+if md5 != "" then
+  throw "fetchdarcs does not support md5 anymore, please use sha256"
+else
 stdenv.mkDerivation {
   name = "fetchdarcs";
   builder = ./builder.sh;
   buildInputs = [darcs];
 
-  outputHashAlgo = if sha256 == "" then "md5" else "sha256";
+  outputHashAlgo = "sha256";
   outputHashMode = "recursive";
-  outputHash = if sha256 == "" then md5 else sha256;
-  
+  outputHash = sha256;
+
   inherit url rev context;
 }
diff --git a/pkgs/build-support/fetchegg/default.nix b/pkgs/build-support/fetchegg/default.nix
index 3e0d5d566ad7..41d2c936e01e 100644
--- a/pkgs/build-support/fetchegg/default.nix
+++ b/pkgs/build-support/fetchegg/default.nix
@@ -4,14 +4,17 @@
 { stdenv, chicken }:
 { name, version, md5 ? "", sha256 ? "" }:
 
+if md5 != "" then
+  throw "fetchegg does not support md5 anymore, please use sha256"
+else
 stdenv.mkDerivation {
   name = "chicken-${name}-export";
   builder = ./builder.sh;
   buildInputs = [ chicken ];
 
-  outputHashAlgo = if sha256 == "" then "md5" else "sha256";
+  outputHashAlgo = "sha256";
   outputHashMode = "recursive";
-  outputHash = if sha256 == "" then md5 else sha256;
+  outputHash = sha256;
 
   inherit version;
 
diff --git a/pkgs/build-support/fetchgit/default.nix b/pkgs/build-support/fetchgit/default.nix
index e40b460d390a..d85d2c893c52 100644
--- a/pkgs/build-support/fetchgit/default.nix
+++ b/pkgs/build-support/fetchgit/default.nix
@@ -39,18 +39,20 @@ in
    server admins start using the new version?
 */
 
-assert md5 != "" || sha256 != "";
 assert deepClone -> leaveDotGit;
 
+if md5 != "" then
+  throw "fetchgit does not support md5 anymore, please use sha256"
+else
 stdenv.mkDerivation {
   inherit name;
   builder = ./builder.sh;
   fetcher = "${./nix-prefetch-git}";  # This must be a string to ensure it's called with bash.
   buildInputs = [git];
 
-  outputHashAlgo = if sha256 == "" then "md5" else "sha256";
+  outputHashAlgo = "sha256";
   outputHashMode = "recursive";
-  outputHash = if sha256 == "" then md5 else sha256;
+  outputHash = sha256;
 
   inherit url rev leaveDotGit fetchSubmodules deepClone branchName;
 
diff --git a/pkgs/build-support/fetchhg/default.nix b/pkgs/build-support/fetchhg/default.nix
index 79f610166a79..aba12317963a 100644
--- a/pkgs/build-support/fetchhg/default.nix
+++ b/pkgs/build-support/fetchhg/default.nix
@@ -1,5 +1,8 @@
 {stdenv, mercurial, nix}: {name ? null, url, rev ? null, md5 ? null, sha256 ? null, fetchSubrepos ? false}:
 
+if md5 != null then
+  throw "fetchhg does not support md5 anymore, please use sha256"
+else
 # TODO: statically check if mercurial as the https support if the url starts woth https.
 stdenv.mkDerivation {
   name = "hg-archive" + (if name != null then "-${name}" else "");
@@ -8,14 +11,11 @@ stdenv.mkDerivation {
 
   impureEnvVars = stdenv.lib.fetchers.proxyImpureEnvVars;
 
-  # Nix <= 0.7 compatibility.
-  id = md5;
-
   subrepoClause = if fetchSubrepos then "S" else "";
 
-  outputHashAlgo = if md5 != null then "md5" else "sha256";
+  outputHashAlgo = "sha256";
   outputHashMode = "recursive";
-  outputHash = if md5 != null then md5 else sha256;
+  outputHash = sha256;
 
   inherit url rev;
   preferLocalBuild = true;
diff --git a/pkgs/build-support/fetchnuget/default.nix b/pkgs/build-support/fetchnuget/default.nix
index 95bb7b7cd8da..62b700dd81b5 100644
--- a/pkgs/build-support/fetchnuget/default.nix
+++ b/pkgs/build-support/fetchnuget/default.nix
@@ -8,9 +8,12 @@ attrs @
 , md5 ? ""
 , ...
 }:
+if md5 != "" then
+  throw "fetchnuget does not support md5 anymore, please use sha256"
+else
   buildDotnetPackage ({
     src = fetchurl {
-      inherit url sha256 md5;
+      inherit url sha256;
       name = "${baseName}.${version}.zip";
     };
 
diff --git a/pkgs/build-support/fetchsvn/default.nix b/pkgs/build-support/fetchsvn/default.nix
index 747052c1cb70..6ed34ec02763 100644
--- a/pkgs/build-support/fetchsvn/default.nix
+++ b/pkgs/build-support/fetchsvn/default.nix
@@ -25,14 +25,17 @@ let
   name_ = if name == null then "${repoName}-r${toString rev}" else name;
 in
 
+if md5 != "" then
+  throw "fetchsvn does not support md5 anymore, please use sha256"
+else
 stdenv.mkDerivation {
   name = name_;
   builder = ./builder.sh;
   buildInputs = [subversion];
 
-  outputHashAlgo = if sha256 == "" then "md5" else "sha256";
+  outputHashAlgo = "sha256";
   outputHashMode = "recursive";
-  outputHash = if sha256 == "" then md5 else sha256;
+  outputHash = sha256;
 
   inherit url rev sshSupport openssh ignoreExternals ignoreKeywords;
 
diff --git a/pkgs/build-support/fetchsvnssh/default.nix b/pkgs/build-support/fetchsvnssh/default.nix
index 6c6c03d68732..a6f3d3469f09 100644
--- a/pkgs/build-support/fetchsvnssh/default.nix
+++ b/pkgs/build-support/fetchsvnssh/default.nix
@@ -1,16 +1,20 @@
 {stdenv, subversion, sshSupport ? false, openssh ? null, expect}: 
 {username, password, url, rev ? "HEAD", md5 ? "", sha256 ? ""}:
 
+
+if md5 != "" then
+  throw "fetchsvnssh does not support md5 anymore, please use sha256"
+else
 stdenv.mkDerivation {
   name = "svn-export-ssh";
   builder = ./builder.sh;
   buildInputs = [subversion expect];
 
-  outputHashAlgo = if sha256 == "" then "md5" else "sha256";
+  outputHashAlgo = "sha256";
   outputHashMode = "recursive";
-  outputHash = if sha256 == "" then md5 else sha256;
-  
+  outputHash = sha256;
+
   sshSubversion = ./sshsubversion.exp;
-  
+
   inherit username password url rev sshSupport openssh;
 }
diff --git a/pkgs/build-support/fetchurl/default.nix b/pkgs/build-support/fetchurl/default.nix
index 00f485ce6975..1e872fbc57a4 100644
--- a/pkgs/build-support/fetchurl/default.nix
+++ b/pkgs/build-support/fetchurl/default.nix
@@ -87,12 +87,14 @@ assert sha512 != "" -> builtins.compareVersions "1.11" builtins.nixVersion <= 0;
 let
 
   hasHash = showURLs || (outputHash != "" && outputHashAlgo != "")
-    || md5 != "" || sha1 != "" || sha256 != "" || sha512 != "";
+    || sha1 != "" || sha256 != "" || sha512 != "";
   urls_ = if urls != [] then urls else [url];
 
 in
 
-if (!hasHash) then throw "Specify hash for fetchurl fixed-output derivation: ${stdenv.lib.concatStringsSep ", " urls_}" else stdenv.mkDerivation {
+if md5 != "" then throw "fetchsvnssh does not support md5 anymore, please use sha256 or sha512"
+else if (!hasHash) then throw "Specify hash for fetchurl fixed-output derivation: ${stdenv.lib.concatStringsSep ", " urls_}"
+else stdenv.mkDerivation {
   name =
     if showURLs then "urls"
     else if name != "" then name
@@ -110,9 +112,9 @@ if (!hasHash) then throw "Specify hash for fetchurl fixed-output derivation: ${s
 
   # New-style output content requirements.
   outputHashAlgo = if outputHashAlgo != "" then outputHashAlgo else
-      if sha512 != "" then "sha512" else if sha256 != "" then "sha256" else if sha1 != "" then "sha1" else "md5";
+      if sha512 != "" then "sha512" else if sha256 != "" then "sha256" else "sha1";
   outputHash = if outputHash != "" then outputHash else
-      if sha512 != "" then sha512 else if sha256 != "" then sha256 else if sha1 != "" then sha1 else md5;
+      if sha512 != "" then sha512 else if sha256 != "" then sha256 else sha1;
 
   outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";
 

From c066dc8416a6e5c3f5ae82b894a90154a6b06e37 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 20 Mar 2017 22:26:02 +0100
Subject: [PATCH 2/2] fetch-*: add md5 support removal to rl-notes

---
 nixos/doc/manual/release-notes/rl-1703.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml
index c03bf33de8bd..76b6792aac45 100644
--- a/nixos/doc/manual/release-notes/rl-1703.xml
+++ b/nixos/doc/manual/release-notes/rl-1703.xml
@@ -249,6 +249,13 @@ following incompatible changes:</para>
     </para>
   </listitem>
 
+  <listitem>
+    <para>
+      The <literal>fetch*</literal> functions no longer support md5,
+      please use sha256 instead.
+    </para>
+  </listitem>
+
 </itemizedlist>