unbound: fetch source from GitHub

To avoid a xz-style supply chain attack. Signed-off-by: Sefa Eyeoglu <[email protected]> (cherry picked from commit c011c36)
NixOS · Dec 9, 2024 · 5c4e0f8 · 5c4e0f8
1 parent afeba73
commit 5c4e0f8
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/pkgs/by-name/un/unbound/package.nix b/pkgs/by-name/un/unbound/package.nix
@@ -1,9 +1,10 @@
 { stdenv
 , lib
-, fetchurl
+, fetchFromGitHub
 , openssl
 , nettle
 , expat
+, flex
 , libevent
 , libsodium
 , protobufc
@@ -52,17 +53,19 @@ stdenv.mkDerivation (finalAttrs: {
   pname = "unbound";
   version = "1.22.0";
 
-  src = fetchurl {
-    url = "https://nlnetlabs.nl/downloads/unbound/unbound-${finalAttrs.version}.tar.gz";
-    hash = "sha256-xd0b3vXVaFss7bdJFY3RUsUtRPZVKaNKwVzYjUsbPUM=";
+  src = fetchFromGitHub {
+    owner = "NLnetLabs";
+    repo = "unbound";
+    rev = "refs/tags/release-${finalAttrs.version}";
+    hash = "sha256-CFsd8tdFL+JbxmDZoWdStvWcs9azSaLtMG8Ih5oXE/A=";
   };
 
   outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB
 
   nativeBuildInputs =
     lib.optionals withMakeWrapper [ makeWrapper ]
     ++ lib.optionals withDNSTAP [ protobufc ]
-    ++ [ pkg-config ]
+    ++ [ pkg-config flex ]
     ++ lib.optionals withPythonModule [ swig ];
 
   buildInputs = [ openssl nettle expat libevent ]