-
-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
git: respect $SSL_CERT_FILE #14617
git: respect $SSL_CERT_FILE #14617
Conversation
This allows git to work on systems without /etc/ssl/certs/ca-certificates.crt, such as OS X, instead of failing with "error setting certificate verify locations".
#if LIBCURL_VERSION_NUM >= 0x070908 | ||
set_from_env(&ssl_capath, "GIT_SSL_CAPATH"); | ||
#endif | ||
+ set_from_env(&ssl_cainfo, "SSL_CERT_FILE"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe put it on the top of the list since it's non-standard. the official/documented envs should override the SSL_CERT_FILE if set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, this doesn't override the GIT_SSL_CAPATH
, it sets ssl_capath
, not ssl_cainfo
, which is set below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My bad, you're right
I think it's a good idea but would like a second opinion on this. /cc @vcunat |
Right now, nixpkgs.git is unusable on OS X by default without this. (also, is there so much stuff that depends on git that isn't a fixed-output derivation?) |
Also, while we're at it, we could get rid of the custom env var in fetchgit perhaps: diff --git a/pkgs/build-support/fetchgit/default.nix b/pkgs/build-support/fetchgit/default.nix
index 7f98c97..9310e34 100644
--- a/pkgs/build-support/fetchgit/default.nix
+++ b/pkgs/build-support/fetchgit/default.nix
@@ -54,7 +54,7 @@ stdenv.mkDerivation {
inherit url rev leaveDotGit fetchSubmodules deepClone branchName;
- GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt";
+ SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";
impureEnvVars = [
# We borrow these environment variables from the caller to allow |
Any concrete requests for changes to this patch? |
Nope, all good :) |
Uses SSL_CERT_FILE now: NixOS/nixpkgs#14617
This allows git to work on systems without
/etc/ssl/certs/ca-certificates.crt
, such as OS X, instead of failingwith "error setting certificate verify locations".
Things done
nix-build --option build-use-chroot true
or nix.useChroot on NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)