Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

builtin:fetchurl: Enable TLS verification (backport #11585) #11586

Merged
merged 3 commits into from
Sep 25, 2024
Merged

builtin:fetchurl: Enable TLS verification (backport #11585) #11586

merged 3 commits into from
Sep 25, 2024

Conversation

mergify[bot]
Copy link

@mergify mergify bot commented Sep 25, 2024

Motivation

Once upon a time we disabled this because we didn't have access to the certificates in the sandbox, and verification wasn't really needed because we're checking the hash of the download afterwards. But these days we do have access to certificates in the sandbox, and features like impure derivations make the second assumption no longer valid. So let's re-enable checking.

Context

Priorities and Process

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

This is an automatic backport of pull request #11585 done by [Mergify](https://mergify.com).

@edolstra @mergify
builtin:fetchurl: Enable TLS verification
c65ce6c 
This is better for privacy and to avoid leaking netrc credentials in a
MITM attack, but also the assumption that we check the hash no longer
holds in some cases (in particular for impure derivations).

Partially reverts 5db358d.

(cherry picked from commit c04bc17)
@mergify mergify bot requested a review from edolstra as a code owner September 25, 2024 21:53
@mergify Mergify
Copy link
Author

mergify bot commented Sep 25, 2024

Cherry-pick of f2f47fa has failed:

On branch mergify/bp/2.18-maintenance/pr-11585
Your branch is ahead of 'origin/2.18-maintenance' by 1 commit.
  (use "git push" to publish your local commits)

You are currently cherry-picking commit f2f47fa72.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	new file:   tests/nixos/fetchurl.nix

Unmerged paths:
  (use "git add/rm <file>..." as appropriate to mark resolution)
	deleted by us:   tests/nixos/default.nix

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

@edolstra
Add release note
5e76cdb 
(cherry picked from commit 7b39cd6)
@edolstra
Typo
798e0bc 
(cherry picked from commit ef89879)
@edolstra edolstra force-pushed the mergify/bp/2.18-maintenance/pr-11585 branch from 2a049f3 to 798e0bc Compare September 25, 2024 22:18
@edolstra edolstra merged commit 501a805 into 2.18-maintenance Sep 25, 2024
14 checks passed
@edolstra edolstra deleted the mergify/bp/2.18-maintenance/pr-11585 branch September 25, 2024 22:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fricklerhandwerk fricklerhandwerk Awaiting requested review from fricklerhandwerk fricklerhandwerk is a code owner

@edolstra edolstra Awaiting requested review from edolstra

Assignees
No one assigned
Labels
conflicts merge-queue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@edolstra