Abusing SHA-1 collisions for Chromium updates

Aside | Posted on by

Abusing SHA-1 collisions for Chromium updates

XXX: This is essentially the same as:

… except that tryEval on fetchurl isn’t working and doesn’t catch

errors for fetchurl, so we go for a different approach. We only have fixed-output derivations that can have networking access, so

we abuse SHA1 and its weaknesses to forge a fixed-output derivation which

is not so fixed, because it emits different contents that have the same

Using this method, we can distinguish whether the URL is available or

Unfortunately there’s no older version than

# We only support GNU/Linux right now. # This file is autogenerated from update.sh in the same directory.

Source: github.com