[SECURITY] File at https://nix-community.github.io/nix-installers/x86_64/nix-multi-user-2.17.1.deb has been silently modified

[the-sun-will-rise-tomorrow]

On 2024-03-31, the file at https://nix-community.github.io/nix-installers/x86_64/nix-multi-user-2.17.1.deb had the SHA-256 sum f7a72254709f700e2b804c418b1314dc326e4fa492de2375f4e68362dbc1ea46.

Today, the same URL points at a different file, with the SHA-256 sum 830093ee961ef50977ff14a450d99f18ea34479ec9188d3259cb42ebbfdf74dc.

It looks like the package may have been rebuilt with a different version of nixpkgs?

I'm not sure if this is intentional or not.

If this was intentional, I think it would be better to avoid doing this, because it breaks the ability to download a file from a known URL and then verify its integrity with a previously acquired hash.

If you need to rebuild a package even though the upstream software hasn't changed, I suggest that you introduce a packaging version, for example 2.17.1-1, 2.17.1-2, etc. For Debian packages, you may want to read https://www.debian.org/doc/debian-policy/ch-controlfields.html#version (the debian_revision field).

[SuperSandro2000]

It looks like the package may have been rebuilt with a different version of nixpkgs?

Yes, see https://github.com/nix-community/nix-installers/blob/master/.github/workflows/gh-pages.yml