New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fetchdarcs: add SSL_CERT_FILE environment variable #25251
Conversation
|
||
if md5 != "" then | ||
throw "fetchdarcs does not support md5 anymore, please use sha256" | ||
else | ||
stdenv.mkDerivation { | ||
name = "fetchdarcs"; | ||
SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be NIX_SSL_CERT_FILE
nowadays? @edolstra is there central guidance on how the variable should be used across the repo?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SSL_CERT_FILE
works. I can change this to NIX_SSL_CERT_FILE
if that's the recommendation and works all the same.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW, I just copied over this usage of SSL_CERT_FILE
from fetchbower
.
I think the idea is that `NIX_SSL_CERT_FILE` _should_ work, and if it
doesn't we probably should make it. Probably not something for this PR but
I'd leave a comment in the code that it's weird
…On Wed, Apr 26, 2017 at 18:37 Renzo Carbonara ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In pkgs/build-support/fetchdarcs/default.nix
<#25251 (comment)>:
>
if md5 != "" then
throw "fetchdarcs does not support md5 anymore, please use sha256"
else
stdenv.mkDerivation {
name = "fetchdarcs";
+ SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";
SSL_CERT_FILE works. I can change this to NIX_SSL_CERT_FILE if that's the
recommendation and works all the same.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#25251 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAAKPw_V1n6lpgDqJAxDdOoiJX4ApyFZks5rz8cTgaJpZM4NJYg6>
.
|
|
@shlevy just saying because it's unclear. For example I think we amended our patch to the Go http library so that it looks for |
Oh, I don't think it's correct to do "instead" semantics. |
@copumpkin @shlevy For me this change looks somewhat confusing too. Am I right in my understading that the idea is to make sure that TLS verifications during the build (e.g. fetching sources, etc.) use a fixed set of trusted certs (the one from Aren’t similar changes necessary for all the Or could it be that we want the opposite: the system’s preferred certificates to be always used, even during the build? |
I stand corrected, |
Why does fetchdarcs need certificates at all? |
@edolstra Ah, yes, of course. Since we are checking hashes anyway, all of the |
The integrity of the downloaded file is guaranteed, sure, but the privacy of what is being requested isn't! |
This is the same as #25250 but against
release-1703
cc @shlevy @luite