Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

git: respect $SSL_CERT_FILE #14617

Merged
merged 1 commit into from
Apr 29, 2016
Merged

git: respect $SSL_CERT_FILE #14617

merged 1 commit into from
Apr 29, 2016

Conversation

edef1c
Copy link
Member

@edef1c edef1c commented Apr 12, 2016

This allows git to work on systems without
/etc/ssl/certs/ca-certificates.crt, such as OS X, instead of failing
with "error setting certificate verify locations".

Things done
  • Tested using sandboxing (nix-build --option build-use-chroot true or nix.useChroot on NixOS)
  • Built on platform(s)
    • NixOS
    • OS X
    • Linux
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

This allows git to work on systems without
/etc/ssl/certs/ca-certificates.crt, such as OS X, instead of failing
with "error setting certificate verify locations".
@mention-bot
Copy link

By analyzing the blame information on this pull request, we identified @peti, @edolstra and @zimbatm to be potential reviewers

#if LIBCURL_VERSION_NUM >= 0x070908
set_from_env(&ssl_capath, "GIT_SSL_CAPATH");
#endif
+ set_from_env(&ssl_cainfo, "SSL_CERT_FILE");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe put it on the top of the list since it's non-standard. the official/documented envs should override the SSL_CERT_FILE if set.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, this doesn't override the GIT_SSL_CAPATH, it sets ssl_capath, not ssl_cainfo, which is set below.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My bad, you're right

@zimbatm zimbatm added 0.kind: enhancement Add something new 1.severity: mass-rebuild This PR causes a large number of packages to rebuild labels Apr 12, 2016
@zimbatm
Copy link
Member

zimbatm commented Apr 12, 2016

I think it's a good idea but would like a second opinion on this. /cc @vcunat

@edef1c
Copy link
Member Author

edef1c commented Apr 14, 2016

Right now, nixpkgs.git is unusable on OS X by default without this. (also, is there so much stuff that depends on git that isn't a fixed-output derivation?)

@edef1c
Copy link
Member Author

edef1c commented Apr 14, 2016

Also, while we're at it, we could get rid of the custom env var in fetchgit perhaps:

diff --git a/pkgs/build-support/fetchgit/default.nix b/pkgs/build-support/fetchgit/default.nix
index 7f98c97..9310e34 100644
--- a/pkgs/build-support/fetchgit/default.nix
+++ b/pkgs/build-support/fetchgit/default.nix
@@ -54,7 +54,7 @@ stdenv.mkDerivation {

   inherit url rev leaveDotGit fetchSubmodules deepClone branchName;

-  GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt";
+  SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";

   impureEnvVars = [
     # We borrow these environment variables from the caller to allow

@peti peti added 9.needs: reporter feedback This issue needs the person who filed it to respond and removed 1.severity: mass-rebuild This PR causes a large number of packages to rebuild labels Apr 14, 2016
@edef1c
Copy link
Member Author

edef1c commented Apr 29, 2016

Any concrete requests for changes to this patch?

@zimbatm zimbatm merged commit d2b176a into NixOS:master Apr 29, 2016
@zimbatm
Copy link
Member

zimbatm commented Apr 29, 2016

Nope, all good :)

@edef1c edef1c deleted the git-ssl-cert-file branch May 1, 2016 08:40
svend pushed a commit to svend/dotfiles that referenced this pull request May 1, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
0.kind: enhancement Add something new 9.needs: reporter feedback This issue needs the person who filed it to respond
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants