Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fetchurl: revert enabling TLS verification when NIX_SSL_CERT_FILE #351420

Merged
merged 1 commit into from
Oct 26, 2024
Merged

fetchurl: revert enabling TLS verification when NIX_SSL_CERT_FILE #351420

merged 1 commit into from
Oct 26, 2024

Conversation

LeSuisse
Copy link
Contributor

This reverts commit f829274.

It seems to cause issues #351312. This is still something we should do but I do not have a reproducer right now nor the available time to troubleshot this quickly.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@nix-owners nix-owners bot requested a review from philiptaron October 26, 2024 12:02
@LeSuisse LeSuisse mentioned this pull request Oct 26, 2024
Closed
@emilazy
Copy link
Member

emilazy commented Oct 26, 2024

FWIW (I didn’t see the initial PR), the use of builtins.getEnv here meant that it would break depending on whether or not you were using flakes, since accessing environment variables is forbidden in pure evaluation mode, and I believe that applies even if it’s getting passed through to the builders. Probably needs a slightly different approach when we do this again (which I support).

@emilazy
Copy link
Member

emilazy commented Oct 26, 2024

For bootstrap, I suspect we may need to bundle cacert in the bootstrap tools, which might not be so bad.

@philiptaron philiptaron merged commit 71de335 into NixOS:master Oct 26, 2024
19 of 21 checks passed
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Oct 26, 2024
@LeSuisse LeSuisse deleted the fetchurl-tls-verif-revert branch October 26, 2024 14:28
@LeSuisse
Copy link
Contributor Author

FWIW (I didn’t see the initial PR), the use of builtins.getEnv here meant that it would break depending on whether or not you were using flakes, since accessing environment variables is forbidden in pure evaluation mode, and I believe that applies even if it’s getting passed through to the builders. Probably needs a slightly different approach when we do this again (which I support).

Yup but I wanted to limit the chances of breaking something and start by supporting NIX_SSL_CERT_FILE like it is the case in some other fetchers. It is still an improvement on some situations (and NIX_SSL_CERT_FILE is in impureEnvVars) and it allows us to start identifying some issues.

Anyway the curl: (77) error setting certificate file error is surprising to me when it is set to the cacert CA bundle path, I will reproduce so I can troubleshot it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jwillikers jwillikers jwillikers approved these changes

@emilazy emilazy emilazy approved these changes

@symphorien symphorien symphorien approved these changes

@philiptaron philiptaron Awaiting requested review from philiptaron

Assignees
No one assigned
Labels
6.topic: fetch 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@LeSuisse @emilazy @symphorien @jwillikers @philiptaron