Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fetchfossil: Depend on cacert #101542

Merged
merged 1 commit into from Nov 26, 2020
Merged

fetchfossil: Depend on cacert #101542

merged 1 commit into from Nov 26, 2020

Conversation

wahjava
Copy link
Contributor

@wahjava wahjava commented Oct 24, 2020

Without it, it'll not able to verify SSL certificates, rendering
it mostly useless

Motivation for this change

Without this, a derivation like following:

fetchfossil {
      name = "fossil";
      url = "https://fossil-scm.org/home";
      rev = "68a78b895e91f10d97ff33c5ea8e143ef32a6c8b";
      # please ignore the sha256, it's dummy, and not the right checksum
      sha256 = "140jp7xzskik0sb6aqjsw7z477a124cxl7dkm80m2nyzjng4pzg5";
}

results in:

building '/nix/store/inrwc972basshq180bvwzylhn6wlgpbz-fossil-archive-fossil.drv'...
Cloning Fossil https://fossil-scm.org/home [68a78b895e91f10d97ff33c5ea8e143ef32a6c8b] into /nix/store/xkmwlay3pbdqsgawlyq96bgrx77bbnxg-fossil-archive-fossil
Unable to verify SSL cert from fossil-scm.org
  subject: CN = sqlite.org
  issuer:  C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
  sha256:  6c8ef57dd980f70468e7b70c93380b54fed4319f06e80a708aa0b700dfeed736
accept this cert and continue (y/N)?
SSL cert declined
Clone done, sent: 0  received: 0  ip:
server returned an error - clone aborted
builder for '/nix/store/inrwc972basshq180bvwzylhn6wlgpbz-fossil-archive-fossil.drv' failed with exit code 1

FTR, other builders also depend on cacert.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@wahjava
fetchfossil: Depend on cacert
4eb42a4 
Without it, it'll not able to verify SSL certificates, rendering
it mostly useless
@SuperSandro2000 SuperSandro2000 merged commit 3819fb3 into NixOS:master Nov 26, 2020
@wahjava wahjava deleted the fix/fetchfossil branch November 27, 2020 07:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
6.topic: fetch 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@wahjava @SuperSandro2000