2023-06-28

I recently released a Nix library called evil-nix. It allows downloading files without requiring a hash on the file. It even works in Nix's pure-eval mode.

evil-nix exploits Nix support for unsafe hash functions (like SHA1) in fixed-output derivations. It uses SHA1 hash collisions to sneak data from the internet out of fixed-output derivations.

Due to the implementation, evil-nix is extremely inefficient with downloading files. I don't recommend the library to actually be used in practice, but it is a neat trick.

Take a look at the README.md for more information.

tags: nixos