treewide: Migrate rev -> tag batch 1

[guylamar2006]

Migrate rev -> tag

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• Nixpkgs 25.11 Release Notes (or backporting 24.11 and 25.05 Nixpkgs Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
• NixOS 25.11 Release Notes (or backporting 24.11 and 25.05 NixOS Release notes)
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other contributing documentation in corresponding paths.

---

Add a 👍 reaction to pull requests you find important.

[guylamar2006]

nixpkgs-review result

Generated using nixpkgs-review-gha

Command: nixpkgs-review pr 418147

Logs: https://github.com/guylamar2006/nixpkgs-review-gha/actions/runs/15758131262

[liberodark]

nixpkgs-review result

Generated using nixpkgs-review-gha

Command: nixpkgs-review pr 418147

Logs: https://github.com/liberodark/nixpkgs-review-gha/actions/runs/15758223202

[liberodark]

LTGM

[hadilq]

I always prefer rev over tag since a tag can be reassigned to another commit. Are you sure it's okay from security perspective?

[drupol]

I always prefer rev over tag since a tag can be reassigned to another commit. Are you sure it's okay from security perspective?

Yes, let's say you create a tag that has the same value as a revision. In that case, doing

rev = version;

or

tag = version;

Will not be different, and that is clearly an issue. This is why, people started to use:

rev = "refs/tags/${version}";

To explicitly use a tag and not a revision.

This is precisely why the tag attribute has been created. It's actually a shortcut to ref = refs/tags/${value};, e.g.:

nixpkgs/pkgs/build-support/fetchgithub/default.nix

Line 110 in dfcf351

revWithTag = if tag != null then "refs/tags/${tag}" else rev;

[hadilq]

I always prefer rev over tag since a tag can be reassigned to another commit. Are you sure it's okay from security perspective?

Yes, let's say you create a tag that has the same value as a revision. In that case, doing

rev = version;

or

tag = version;

Will not be different, and that is clearly an issue. This is why, people started to use:

rev = "refs/tags/${version}";

To explicitly use a tag and not a revision.

This is precisely why the tag attribute has been created. It's actually a shortcut to ref = refs/tags/${value};, e.g.:

nixpkgs/pkgs/build-support/fetchgithub/default.nix

Line 110 in dfcf351

revWithTag = if tag != null then "refs/tags/${tag}" else rev;

thank you for explaining! but changes in this PR are rev -> tag, not ref = ref/tags/ -> tag =. I understand the convenience this changes providing, but still I think keeping rev makes more sense due to the fact that upstream can reassign tags, but not rev.

[drupol]

Yes, but here the revs are tags actually, so, what's in this PR is legit.

[hadilq]

Yes, but here the revs are tags actually, so, what's in this PR is legit.

I really doubt that this is a good move. in fact one of the reasons I like nixos is that it's encouraging using hashes to refer to source codes. is there any documentation or design behind these changes?

[hadilq]

I forgot to mention that this move is on the opposite direction of forcing reproducibility principle! reproducibility was the goal of nix and as far as i know it still is. if we go to this path we basically will add a new class of bugs, which i use nix to prevent them!

[drupol]

Could you please make your point? I still don't get it.

Why would you prefer:

rev = version;

over

tag = version;

?

[hadilq]

Could you please make your point? I still don't get it.

Why would you prefer:

rev = version;

over

tag = version;

?

I checked the changes again. All of them have sha-256 hash, so I guess I am okay! thank you for bearing with me! 😄

[drupol]

I checked the changes again. All of them have sha-256 hash, so I guess I am okay! thank you for bearing with me! 😄

That's precisely wrong. If the version attribute is not a human readable version (aka, a hash), then switching to tag is wrong. Can you please clarify again? I guess you meant that all the versions attributes are human readable tags (aka, not a git commit id)?

[hadilq]

That's precisely wrong. If the version attribute is not a human readable version (aka, a hash), then switching to tag is wrong. Can you please clarify again? I guess you meant that all the versions attributes are human readable tags (aka, not a git commit id)?

yes I confirm the versions are human readable, but what makes me sure the tags didn't move is the existence of sha-256 beside the tags. I already approved. 🙂

[drupol]

yes I confirm the versions are human readable, but what makes me sure the tags didn't move is the existence of sha-256 beside the tags. I already approved. 🙂

Of course, but a hash is mandatory if you have a rev as well! :)

[JohnRTitor]

nixpkgs-review result

Generated using nixpkgs-review-gha

Command: nixpkgs-review pr 418147

Logs: https://github.com/JohnRTitor/nixpkgs-review-gha/actions/runs/15807346321