Demi Marie Obenour writes: > I used an empty string for the hashes in 'gitfetch' and > 'buildRustPackage'. This is, of course, incorrect. The correct value > according to my own testing is > "sha256-EOMkQ0aPRjsowdGuZjy5K1yKyKEzd5AVYxaECTz7n6k=" (git hash) and > "sha256-k3dmxIuCQoOrn/VwauTdzuRw/XKQB6LPLgO5ql0rE7E=" (cargoHash). > However, these should be validated before applying them, which is why I > didn't include them in the patch themselves. This is a security > precaution: anyone who wants to inject malicious content must serve it > to multiple people, not just one. Even if you had included the hashes, I'd still have had to download the resources myself, so they'd still have had to serve the malicious content to me, too. I don't have access to your cached downloads. If anything, including the hashes would have been of benefit, because then I'd have had something to compare mine too. (Not that it's a substantial threat in any case.)