Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fetchdarcs: add SSL_CERT_FILE environment variable #25251

Merged
merged 1 commit into from Apr 26, 2017
Merged

fetchdarcs: add SSL_CERT_FILE environment variable #25251

merged 1 commit into from Apr 26, 2017

Conversation

k0001
Copy link
Contributor

@k0001 k0001 commented Apr 26, 2017

This is the same as #25250 but against release-1703

cc @shlevy @luite

@mention-bot
Copy link

@k0001, thanks for your PR! By analyzing the history of the files in this pull request, we identified @kosmikus, @globin and @bennofs to be potential reviewers.

copumpkin
copumpkin reviewed Apr 26, 2017
View reviewed changes
pkgs/build-support/fetchdarcs/default.nix

if md5 != "" then
throw "fetchdarcs does not support md5 anymore, please use sha256"
else
stdenv.mkDerivation {
name = "fetchdarcs";
SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be NIX_SSL_CERT_FILE nowadays? @edolstra is there central guidance on how the variable should be used across the repo?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SSL_CERT_FILE works. I can change this to NIX_SSL_CERT_FILE if that's the recommendation and works all the same.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW, I just copied over this usage of SSL_CERT_FILE from fetchbower.

@copumpkin
Copy link
Member

copumpkin commented Apr 26, 2017 via email

@shlevy
Copy link
Member

shlevy commented Apr 26, 2017

NIX_SSL_CERT_FILE is patched into our openssl, but its purpose is to avoid clashing with host tools using host certificate chain. Seems irrelevant for within builds.

@shlevy shlevy merged commit aa03833 into NixOS:release-17.03 Apr 26, 2017
@copumpkin
Copy link
Member

@shlevy just saying because it's unclear. For example I think we amended our patch to the Go http library so that it looks for NIX_SSL_CERT_FILE instead of SSL_CERT_FILE (which we had to patch in previously). So for tools that we expect to use in builds and as user tools, that's where this sort of question becomes more important, or at least it's unclear to me. If someone wrote some sort of go downloader fixed output derivation, they'd need to pass in NIX_SSL_CERT_FILE for it to work properly.

@shlevy
Copy link
Member

shlevy commented Apr 27, 2017

Oh, I don't think it's correct to do "instead" semantics. NIX_SSL_CERT_FILE should be an override.

@kirelagin
Copy link
Member

@copumpkin @shlevy For me this change looks somewhat confusing too.

Am I right in my understading that the idea is to make sure that TLS verifications during the build (e.g. fetching sources, etc.) use a fixed set of trusted certs (the one from pkgs.cacert), while making sure at the same time that the path to this bundle is never embedded in the binaries, so that during runtime binaries do their best to use a system-default location (or NIX_SSL_CERT_FILE as an override)?

Aren’t similar changes necessary for all the fetch* functions out there? For example fetchgit does not seem to override anything, which will probably result in a (minor) impurity: if my system trusted roots are different from Hydra’s it is possible that the build will fail for me locally (won’t be able to fetch surces) while succeeding on Hydra. Is that what we want to avoid?

Or could it be that we want the opposite: the system’s preferred certificates to be always used, even during the build?

@kirelagin
Copy link
Member

I stand corrected, fetchgit contains the override. But, looks like, e.g. fetchurl does not.

@edolstra
Copy link
Member

Why does fetchdarcs need certificates at all? fetchurl doesn't need them because it uses curl --insecure. This is fine because the integrity of the downloaded file is guaranteed by the hash.

@kirelagin
Copy link
Member

@edolstra Ah, yes, of course. Since we are checking hashes anyway, all of the fetch* functions should probably get rid of the pkgs.cacert dependency and just somehow force unsecure download.

@kirelagin
Copy link
Member

#26273

@shlevy
Copy link
Member

shlevy commented May 31, 2017

The integrity of the downloaded file is guaranteed, sure, but the privacy of what is being requested isn't!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@copumpkin copumpkin copumpkin left review comments

Assignees
No one assigned
Labels
6.topic: fetch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@k0001 @mention-bot @copumpkin @shlevy @kirelagin @edolstra @bjornfor @lukateras