Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stdenv: set SSL_CERT_FILE only if it isn't already #13445

Merged
merged 1 commit into from
Feb 25, 2016
Merged

stdenv: set SSL_CERT_FILE only if it isn't already #13445

merged 1 commit into from
Feb 25, 2016

Conversation

abbradar
Copy link
Member

This would fix fetchcargo breakage caused by it setting SSL_CERT_FILE in the derivation, which would later be overridden by stdenv. This is very low-priority because workaround is available (testing in progress), but sounds nice to fix.

Things done:

(Other points are removed because they are not applicable there IMHO)

@abbradar abbradar added the 1.severity: mass-rebuild This PR causes a large number of packages to rebuild label Feb 25, 2016
@mention-bot
Copy link

By analyzing the blame information on this pull request, we identified @edolstra, @urkud and @vcunat to be potential reviewers

abbradar referenced this pull request Feb 25, 2016
@abbradar
fetchcargo: set CA bundle path
34023d8
@abbradar abbradar mentioned this pull request Feb 25, 2016
Closed
@domenkozar
Copy link
Member

did you check original commit that added this and checked it still fits the purpose?

@abbradar
Copy link
Member Author

The original hack was added in 788da68. Its purpose IIUC is to force SSL to skip searching CA bundle in system paths (which it does when the variable is not set) and fail instead. Therefore, if the variable is set by derivation already, it can be assumed that its author intended SSL to find its CA bundle where pointed. Search in system paths would be skipped either way.

cc @edolstra to check my reasoning

EDIT: By SSL here I mean SSL-as-library for some language (OpenSSL, LibreSSL, rust-ssl and so on).

edolstra added a commit that referenced this pull request Feb 25, 2016
@edolstra
Merge pull request #13445 from abbradar/ssl-cert-check
fe19d0a 
stdenv: set SSL_CERT_FILE only if it isn't already
@edolstra edolstra merged commit fe19d0a into NixOS:staging Feb 25, 2016
@vcunat
Copy link
Member

vcunat commented Mar 21, 2016

I probably don't fully understand the advantages of setting SSL_CERT_FILE=/no-cert-file.crt. It seems to be of no use if one builds with sandboxing and only little use when building without it. Note that it breaks https in nix-shell, and people tend to expect that to work, at least without --pure.

@vcunat vcunat mentioned this pull request Mar 21, 2016
Closed
@peti
Copy link
Member

peti commented Mar 21, 2016

I also believe that this change is of dubious value because of the reasons given in #13744 (comment).

@vcunat
Copy link
Member

vcunat commented Mar 21, 2016

Oh, thanks for the link. It's hard to find one's way in our heap of tickets.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
1.severity: mass-rebuild This PR causes a large number of packages to rebuild
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@abbradar @mention-bot @domenkozar @vcunat @peti @edolstra