public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't statically depend on cacert for certificates

Browse Source 
This reverts commit cd52c044568bdf1108428698048a9af92dc0b625 and
others.

Managing certificates (including revoking certificates and adding
custom certificates) becomes extremely painful if every package in the
system potentially depends on a different copy of cacert. Also, it
makes updating cacert rather expensive.
This commit is contained in:
Eelco Dolstra 2015-07-31 01:30:15 +02:00
parent 23562aad59
commit 55932c1bec
17 changed files with 34 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkgs/applications/graphics/shotwell/default.nix
View File

@ -1,7 +1,7 @@
{ fetchurl, stdenv, m4, glibc, gtk3, libexif, libgphoto2, libsoup, libxml2, vala, sqlite { fetchurl, stdenv, m4, glibc, gtk3, libexif, libgphoto2, libsoup, libxml2, vala, sqlite
, webkitgtk24x, pkgconfig, gnome3, gst_all_1, which, udev, libraw, glib, json_glib , webkitgtk24x, pkgconfig, gnome3, gst_all_1, which, udev, libraw, glib, json_glib
, gettext, desktop_file_utils, lcms2, gdk_pixbuf, librsvg, makeWrapper , gettext, desktop_file_utils, lcms2, gdk_pixbuf, librsvg, makeWrapper
, gnome_doc_utils, hicolor_icon_theme, cacert }: , gnome_doc_utils, hicolor_icon_theme }:
# for dependencies see http://www.yorba.org/projects/shotwell/install/ # for dependencies see http://www.yorba.org/projects/shotwell/install/

7
pkgs/applications/networking/browsers/vimb/default.nix
View File

@ -1,5 +1,5 @@
{ stdenv, fetchurl, pkgconfig, libsoup, webkit, gtk, glib_networking { stdenv, fetchurl, pkgconfig, libsoup, webkit, gtk, glib_networking
, gsettings_desktop_schemas, makeWrapper, cacert , gsettings_desktop_schemas, makeWrapper
}: }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
@ -11,11 +11,6 @@ stdenv.mkDerivation rec {
sha256 = "0h9m5qfs09lb0dz8a79yccmm3a5rv6z8gi5pkyfh8fqkgkh2940p"; sha256 = "0h9m5qfs09lb0dz8a79yccmm3a5rv6z8gi5pkyfh8fqkgkh2940p";
}; };
# Nixos default ca bundle
patchPhase = ''
sed -i s,/etc/ssl/certs/ca-certificates.crt,${cacert}/etc/ssl/certs/ca-bundle.crt, src/config.def.h
'';
buildInputs = [ makeWrapper gtk libsoup pkgconfig webkit gsettings_desktop_schemas ]; buildInputs = [ makeWrapper gtk libsoup pkgconfig webkit gsettings_desktop_schemas ];
makeFlags = [ "PREFIX=$(out)" ]; makeFlags = [ "PREFIX=$(out)" ];

7
pkgs/applications/networking/browsers/vimprobable2/default.nix
View File

@ -1,5 +1,5 @@
{ stdenv, fetchurl, makeWrapper, glib, glib_networking, gtk, libsoup, libX11, perl, { stdenv, fetchurl, makeWrapper, glib, glib_networking, gtk, libsoup, libX11, perl,
pkgconfig, webkit, gsettings_desktop_schemas, cacert }: pkgconfig, webkit, gsettings_desktop_schemas }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
version = "1.4.2"; version = "1.4.2";
@ -9,11 +9,6 @@ stdenv.mkDerivation rec {
sha256 = "13jdximksh9r3cgd2f8vms0pbsn3x0gxvyqdqiw16xp5fmdx5kzr"; sha256 = "13jdximksh9r3cgd2f8vms0pbsn3x0gxvyqdqiw16xp5fmdx5kzr";
}; };
# Nixos default ca bundle
patchPhase = ''
sed -i s,/etc/ssl/certs/ca-certificates.crt,${cacert}/etc/ssl/certs/ca-bundle.crt, config.h
'';
buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ]; buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ];
installPhase = '' installPhase = ''

4
pkgs/applications/networking/cluster/panamax/api/default.nix
View File

@ -1,5 +1,5 @@
{ stdenv, buildEnv, fetchgit, fetchurl, makeWrapper, bundlerEnv, bundler_HEAD { stdenv, buildEnv, fetchgit, fetchurl, makeWrapper, bundlerEnv, bundler_HEAD
, ruby, libxslt, libxml2, sqlite, openssl, cacert, docker , ruby, libxslt, libxml2, sqlite, openssl, docker
, dataDir ? "/var/lib/panamax-api" }: , dataDir ? "/var/lib/panamax-api" }:
with stdenv.lib; with stdenv.lib;
@ -62,7 +62,7 @@ stdenv.mkDerivation rec {
--prefix "PATH" : "$out/share/panamax-api/bin:${env.ruby}/bin:$PATH" \ --prefix "PATH" : "$out/share/panamax-api/bin:${env.ruby}/bin:$PATH" \
--prefix "HOME" : "$out/share/panamax-api" \ --prefix "HOME" : "$out/share/panamax-api" \
--prefix "GEM_HOME" : "${env}/${env.ruby.gemPath}" \ --prefix "GEM_HOME" : "${env}/${env.ruby.gemPath}" \
--prefix "SSL_CERT_FILE" : "${cacert}/etc/ssl/certs/ca-bundle.crt" \ --prefix "SSL_CERT_FILE" : /etc/ssl/certs/ca-certificates.crt \
--prefix "GEM_PATH" : "$out/share/panamax-api:${bundler}/${env.ruby.gemPath}" --prefix "GEM_PATH" : "$out/share/panamax-api:${bundler}/${env.ruby.gemPath}"
''; '';

4
pkgs/applications/networking/instant-messengers/fuze/default.nix
View File

@ -1,12 +1,12 @@
{ stdenv, fetchurl, dpkg, openssl, alsaLib, libXext, libXfixes, libXrandr { stdenv, fetchurl, dpkg, openssl, alsaLib, libXext, libXfixes, libXrandr
, libjpeg, curl, libX11, libXmu, libXv, libXtst, qt4, mesa, zlib , libjpeg, curl, libX11, libXmu, libXv, libXtst, qt4, mesa, zlib
, gnome, libidn, rtmpdump, c-ares, openldap, makeWrapper, cacert , gnome, libidn, rtmpdump, c-ares, openldap, makeWrapper
}: }:
assert stdenv.system == "x86_64-linux"; assert stdenv.system == "x86_64-linux";
let let
curl_custom = curl_custom =
stdenv.lib.overrideDerivation curl (args: { stdenv.lib.overrideDerivation curl (args: {
configureFlags = args.configureFlags ++ ["--with-ca-bundle=${cacert}/etc/ssl/certs/ca-bundle.crt"] ; configureFlags = args.configureFlags ++ ["--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt"] ;
} ); } );
in in
stdenv.mkDerivation { stdenv.mkDerivation {

4
pkgs/applications/networking/instant-messengers/telepathy/gabble/default.nix
View File

@ -1,5 +1,5 @@
{ stdenv, fetchurl, pkgconfig, libxslt, telepathy_glib, libxml2, dbus_glib, dbus_daemon { stdenv, fetchurl, pkgconfig, libxslt, telepathy_glib, libxml2, dbus_glib, dbus_daemon
, sqlite, libsoup, libnice, gnutls, cacert }: , sqlite, libsoup, libnice, gnutls }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "telepathy-gabble-0.18.2"; name = "telepathy-gabble-0.18.2";
@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
buildInputs = [ libxml2 dbus_glib sqlite libsoup libnice telepathy_glib gnutls ] buildInputs = [ libxml2 dbus_glib sqlite libsoup libnice telepathy_glib gnutls ]
++ stdenv.lib.optional doCheck dbus_daemon; ++ stdenv.lib.optional doCheck dbus_daemon;
configureFlags = "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt"; configureFlags = "--with-ca-certificates=/etc/ssl/certs/ca-certificates.crt";
enableParallelBuilding = true; enableParallelBuilding = true;
doCheck = true; doCheck = true;

6
pkgs/applications/networking/irc/weechat/default.nix
View File

@ -1,6 +1,6 @@
{ stdenv, fetchurl, ncurses, openssl, perl, python, aspell, gnutls { stdenv, fetchurl, ncurses, openssl, perl, python, aspell, gnutls
, zlib, curl , pkgconfig, libgcrypt, ruby, lua5, tcl, guile , zlib, curl , pkgconfig, libgcrypt, ruby, lua5, tcl, guile
, pythonPackages, cacert, cmake, makeWrapper, libobjc , pythonPackages, cmake, makeWrapper, libobjc
, extraBuildInputs ? [] }: , extraBuildInputs ? [] }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
@ -15,11 +15,11 @@ stdenv.mkDerivation rec {
buildInputs = buildInputs =
[ ncurses perl python openssl aspell gnutls zlib curl pkgconfig [ ncurses perl python openssl aspell gnutls zlib curl pkgconfig
libgcrypt ruby lua5 tcl guile pythonPackages.pycrypto makeWrapper libgcrypt ruby lua5 tcl guile pythonPackages.pycrypto makeWrapper
cacert cmake ] cmake ]
++ stdenv.lib.optionals stdenv.isDarwin [ pythonPackages.pync libobjc ] ++ stdenv.lib.optionals stdenv.isDarwin [ pythonPackages.pync libobjc ]
++ extraBuildInputs; ++ extraBuildInputs;
NIX_CFLAGS_COMPILE = "-I${python}/include/${python.libPrefix} -DCA_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt"; NIX_CFLAGS_COMPILE = "-I${python}/include/${python.libPrefix} -DCA_FILE=/etc/ssl/certs/ca-certificates.crt";
postInstall = '' postInstall = ''
NIX_PYTHONPATH="$out/lib/${python.libPrefix}/site-packages" NIX_PYTHONPATH="$out/lib/${python.libPrefix}/site-packages"

5
pkgs/applications/version-management/bazaar/default.nix
View File

@ -1,4 +1,4 @@
{ stdenv, fetchurl, pythonPackages, cacert }: { stdenv, fetchurl, pythonPackages }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
version = "2.6"; version = "2.6";
@ -19,10 +19,9 @@ stdenv.mkDerivation rec {
patches = [ ./add_certificates.patch ]; patches = [ ./add_certificates.patch ];
postPatch = '' postPatch = ''
substituteInPlace bzrlib/transport/http/_urllib2_wrappers.py \ substituteInPlace bzrlib/transport/http/_urllib2_wrappers.py \
--subst-var-by "certPath" "${cacert}/etc/ssl/certs/ca-bundle.crt" --subst-var-by certPath /etc/ssl/certs/ca-certificates.crt
''; '';
installPhase = '' installPhase = ''
python setup.py install --prefix=$out python setup.py install --prefix=$out
wrapPythonPrograms wrapPythonPrograms

5
pkgs/applications/version-management/mercurial/default.nix
View File

@ -1,6 +1,5 @@
{ stdenv, fetchurl, python, makeWrapper, docutils, unzip, hg-git, dulwich { stdenv, fetchurl, python, makeWrapper, docutils, unzip, hg-git, dulwich
, guiSupport ? false, tk ? null, curses, cacert , guiSupport ? false, tk ? null, curses
, ApplicationServices }: , ApplicationServices }:
let let
@ -48,7 +47,7 @@ stdenv.mkDerivation {
mkdir -p $out/etc/mercurial mkdir -p $out/etc/mercurial
cat >> $out/etc/mercurial/hgrc << EOF cat >> $out/etc/mercurial/hgrc << EOF
[web] [web]
cacerts = ${cacert}/etc/ssl/certs/ca-bundle.crt cacerts = /etc/ssl/certs/ca-certificates.crt
EOF EOF
# copy hgweb.cgi to allow use in apache # copy hgweb.cgi to allow use in apache

4
pkgs/desktops/gnome-3/3.16/core/gnome-keyring/default.nix
View File

@ -1,6 +1,6 @@
{ stdenv, fetchurl, pkgconfig, dbus, libgcrypt, libtasn1, pam, python, glib, libxslt { stdenv, fetchurl, pkgconfig, dbus, libgcrypt, libtasn1, pam, python, glib, libxslt
, intltool, pango, gcr, gdk_pixbuf, atk, p11_kit, makeWrapper , intltool, pango, gcr, gdk_pixbuf, atk, p11_kit, makeWrapper
, docbook_xsl_ns, docbook_xsl, gnome3, cacert }: , docbook_xsl_ns, docbook_xsl, gnome3 }:
let let
majVer = gnome3.version; majVer = gnome3.version;
@ -22,7 +22,7 @@ in stdenv.mkDerivation rec {
nativeBuildInputs = [ pkgconfig intltool docbook_xsl_ns docbook_xsl ]; nativeBuildInputs = [ pkgconfig intltool docbook_xsl_ns docbook_xsl ];
configureFlags = [ configureFlags = [
"--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt" # NixOS hardcoded path "--with-ca-certificates=/etc/ssl/certs/ca-certificates.crt" # NixOS hardcoded path
"--with-pkcs11-config=$$out/etc/pkcs11/" # installation directories "--with-pkcs11-config=$$out/etc/pkcs11/" # installation directories
"--with-pkcs11-modules=$$out/lib/pkcs11/" "--with-pkcs11-modules=$$out/lib/pkcs11/"
]; ];

4
pkgs/desktops/gnome-3/3.16/core/rest/default.nix
View File

@ -1,4 +1,4 @@
{ stdenv, fetchurl, pkgconfig, glib, libsoup, gobjectIntrospection, cacert, gnome3 }: { stdenv, fetchurl, pkgconfig, glib, libsoup, gobjectIntrospection, gnome3 }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "rest-0.7.92"; name = "rest-0.7.92";
@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
buildInputs = [ pkgconfig glib libsoup gobjectIntrospection]; buildInputs = [ pkgconfig glib libsoup gobjectIntrospection];
configureFlags = "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt"; configureFlags = "--with-ca-certificates=/etc/ssl/certs/ca-certificates.crt";
meta = with stdenv.lib; { meta = with stdenv.lib; {
platforms = platforms.linux; platforms = platforms.linux;

6
pkgs/development/interpreters/elixir/default.nix
View File

@ -1,4 +1,4 @@
{ stdenv, fetchurl, erlang, rebar, makeWrapper, coreutils, curl, bash, cacert }: { stdenv, fetchurl, erlang, rebar, makeWrapper, coreutils, curl, bash }:
let let
version = "1.0.5"; version = "1.0.5";
@ -32,8 +32,8 @@ stdenv.mkDerivation {
b=$(basename $f) b=$(basename $f)
if [ $b == "mix" ]; then continue; fi if [ $b == "mix" ]; then continue; fi
wrapProgram $f \ wrapProgram $f \
--prefix PATH ":" "${erlang}/bin:${coreutils}/bin:${curl}/bin:${bash}/bin" \ --prefix PATH ":" "${erlang}/bin:${coreutils}/bin:${curl}/bin:${bash}/bin" \
--set CURL_CA_BUNDLE "${cacert}/etc/ssl/certs/ca-bundle.crt" --set CURL_CA_BUNDLE /etc/ssl/certs/ca-certificates.crt
done done
''; '';

4
pkgs/development/libraries/glib-networking/default.nix
View File

@ -1,5 +1,5 @@
{ stdenv, fetchurl, pkgconfig, glib, intltool, gnutls, libproxy { stdenv, fetchurl, pkgconfig, glib, intltool, gnutls, libproxy
, gsettings_desktop_schemas, cacert }: , gsettings_desktop_schemas }:
let let
ver_maj = "2.44"; ver_maj = "2.44";
@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
sha256 = "8f8a340d3ba99bfdef38b653da929652ea6640e27969d29f7ac51fbbe11a4346"; sha256 = "8f8a340d3ba99bfdef38b653da929652ea6640e27969d29f7ac51fbbe11a4346";
}; };
configureFlags = "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt"; configureFlags = "--with-ca-certificates=/etc/ssl/certs/ca-certificates.crt";
preBuild = '' preBuild = ''
sed -e "s@${glib}/lib/gio/modules@$out/lib/gio/modules@g" -i $(find . -name Makefile) sed -e "s@${glib}/lib/gio/modules@$out/lib/gio/modules@g" -i $(find . -name Makefile)

2
pkgs/servers/mail/opensmtpd/default.nix
View File

@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
"--with-sock-dir=/run" "--with-sock-dir=/run"
"--with-privsep-user=smtpd" "--with-privsep-user=smtpd"
"--with-queue-user=smtpq" "--with-queue-user=smtpq"
"--with-ca-file=${cacert}/etc/ssl/certs/ca-bundle.crt" "--with-ca-file=/etc/ssl/certs/ca-certificates.crt"
]; ];
installFlags = [ installFlags = [

4
pkgs/tools/misc/pipelight/pipelight.patch
View File

@ -43,7 +43,7 @@ diff -urN pipelight.old/bin/pipelight-plugin.in pipelight.new/bin/pipelight-plug
-fi -fi
+download_file() +download_file()
+{ +{
+ curl --cacert /etc/ssl/certs/ca-bundle.crt -o "$1" "$2" + curl --cacert /etc/ssl/certs/ca-certificates.crt -o "$1" "$2"
+} +}
# Use shasum instead of sha256sum on MacOS / *BSD # Use shasum instead of sha256sum on MacOS / *BSD
@ -111,7 +111,7 @@ diff -urN pipelight.old/share/install-dependency pipelight.new/share/install-dep
-fi -fi
+download_file() +download_file()
+{ +{
+ curl --cacert /etc/ssl/certs/ca-bundle.crt -o "$1" "$2" + curl --cacert /etc/ssl/certs/ca-certificates.crt -o "$1" "$2"
+} +}
+get_download_size() +get_download_size()
+{ +{

6
pkgs/tools/networking/aria2/default.nix
View File

@ -1,4 +1,4 @@
{ stdenv, fetchurl, pkgconfig, cacert, c-ares, openssl, libxml2, sqlite, zlib }: { stdenv, fetchurl, pkgconfig, c-ares, openssl, libxml2, sqlite, zlib }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "aria2-${version}"; name = "aria2-${version}";
@ -11,9 +11,7 @@ stdenv.mkDerivation rec {
buildInputs = [ pkgconfig c-ares openssl libxml2 sqlite zlib ]; buildInputs = [ pkgconfig c-ares openssl libxml2 sqlite zlib ];
propagatedBuildInputs = [ cacert ]; configureFlags = [ "--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt" ];
configureFlags = [ "--with-ca-bundle=${cacert}/etc/ssl/certs/ca-bundle.crt" ];
meta = with stdenv.lib; { meta = with stdenv.lib; {
homepage = http://aria2.sourceforge.net/; homepage = http://aria2.sourceforge.net/;

5
pkgs/tools/security/prey/default.nix
View File

@ -1,5 +1,4 @@
{ stdenv, fetchurl, fetchgit, curl, scrot, imagemagick, xawtv, inetutils { stdenv, fetchurl, fetchgit, curl, scrot, imagemagick, xawtv, inetutils, makeWrapper, coreutils
, makeWrapper, coreutils, cacert
, apiKey ? "" , apiKey ? ""
, deviceKey ? "" }: , deviceKey ? "" }:
@ -36,7 +35,7 @@ in stdenv.mkDerivation rec {
cp -R ${modulesSrc}/* $out/modules/ cp -R ${modulesSrc}/* $out/modules/
wrapProgram "$out/prey.sh" \ wrapProgram "$out/prey.sh" \
--prefix PATH ":" "${xawtv}/bin:${imagemagick}/bin:${curl}/bin:${scrot}/bin:${inetutils}/bin:${coreutils}/bin" \ --prefix PATH ":" "${xawtv}/bin:${imagemagick}/bin:${curl}/bin:${scrot}/bin:${inetutils}/bin:${coreutils}/bin" \
--set CURL_CA_BUNDLE "${cacert}/etc/ssl/certs/ca-bundle.crt" --set CURL_CA_BUNDLE "/etc/ssl/certs/ca-certificates.crt"
''; '';
meta = with stdenv.lib; { meta = with stdenv.lib; {