Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

builtin:fetchurl: Enable TLS verification (backport #11585) #11589

Merged
merged 5 commits into from
Sep 25, 2024
Merged

builtin:fetchurl: Enable TLS verification (backport #11585) #11589

merged 5 commits into from
Sep 25, 2024

Conversation

mergify[bot]
Copy link

@mergify mergify bot commented Sep 25, 2024

Motivation

Once upon a time we disabled this because we didn't have access to the certificates in the sandbox, and verification wasn't really needed because we're checking the hash of the download afterwards. But these days we do have access to certificates in the sandbox, and features like impure derivations make the second assumption no longer valid. So let's re-enable checking.

Context

Priorities and Process

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

This is an automatic backport of pull request #11585 done by [Mergify](https://mergify.com).

@edolstra @mergify
builtin:fetchurl: Enable TLS verification
b75115a 
This is better for privacy and to avoid leaking netrc credentials in a
MITM attack, but also the assumption that we check the hash no longer
holds in some cases (in particular for impure derivations).

Partially reverts 5db358d.

(cherry picked from commit c04bc17)
@edolstra @mergify
Add a test for builtin:fetchurl cert verification
34f12b5 
(cherry picked from commit f2f47fa)

# Conflicts:
#	tests/nixos/default.nix
@edolstra @mergify
Add release note
ec54a54 
(cherry picked from commit 7b39cd6)
@mergify mergify bot requested a review from edolstra as a code owner September 25, 2024 21:54
@mergify Mergify
Copy link
Author

mergify bot commented Sep 25, 2024

Cherry-pick of f2f47fa has failed:

On branch mergify/bp/2.21-maintenance/pr-11585
Your branch is ahead of 'origin/2.21-maintenance' by 1 commit.
  (use "git push" to publish your local commits)

You are currently cherry-picking commit f2f47fa72.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	new file:   tests/nixos/fetchurl.nix

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   tests/nixos/default.nix

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

@edolstra
Typo
faa830e 
(cherry picked from commit ef89879)
@edolstra
Resolve conflict
0d76be1
@edolstra edolstra merged commit 08adfad into 2.21-maintenance Sep 25, 2024
14 of 16 checks passed
@edolstra edolstra deleted the mergify/bp/2.21-maintenance/pr-11585 branch September 25, 2024 23:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edolstra edolstra Awaiting requested review from edolstra edolstra is a code owner

Assignees
No one assigned
Labels
conflicts merge-queue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@edolstra