diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index f72431c5a27..34e0ec132a9 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -13,12 +13,17 @@ let sha256 = "1d4q27j1gss0186a5m8bs5dk786w07ccyq0qi6xmd2zr1a8q16wy"; }; + version = "3.57"; + underscoreVersion = builtins.replaceStrings ["."] ["_"] version; in stdenv.mkDerivation { - name = "nss-cacert-${nss.version}"; + name = "nss-cacert-${version}"; - src = nss.src; + src = fetchurl { + url = "mirror://mozilla/security/nss/releases/NSS_${underscoreVersion}_RTM/src/nss-${version}.tar.gz"; + sha256 = "55a86c01be860381d64bb4e5b94eb198df9b0f098a8af0e58c014df398bdc382"; + }; outputs = [ "out" "unbundled" ]; @@ -60,6 +65,8 @@ stdenv.mkDerivation { setupHook = ./setup-hook.sh; + passthru.updateScript = ./update.sh; + meta = { homepage = "https://curl.haxx.se/docs/caextract.html"; description = "A bundle of X.509 certificates of public Certificate Authorities (CA)"; diff --git a/pkgs/data/misc/cacert/update.sh b/pkgs/data/misc/cacert/update.sh new file mode 100755 index 00000000000..7bf3d46cb02 --- /dev/null +++ b/pkgs/data/misc/cacert/update.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i bash -p nix common-updater-scripts jq + +# Build both the cacert package and an overriden version where we use the source attribute of NSS. +# Cacert and NSS are both from the same upstream sources. They are decoupled as +# the cacert output only cares about a few infrequently changing files in the +# sources while the NSS source code changes frequently. +# +# By having cacert on a older source revision that produces the same +# certificate output as a newer version we can avoid large amounts of +# unnecessary rebuilds. +# +# As of this writing there are a few magnitudes more packages depending on +# cacert than on nss. + + +set -ex + +BASEDIR="$(dirname "$0")/../../../.." + + +CURRENT_PATH=$(nix-build --no-out-link -A cacert.out) +PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.overrideAttrs (_: { inherit (nss) src version; })).out") + +# Check the hash of the etc subfolder +# We can't check the entire output as that contains the nix-support folder +# which contains the output path itself. +CURRENT_HASH=$(nix-hash "$CURRENT_PATH/etc") +PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc") + +if [[ "$CURRENT_HASH" != "$PATCHED_HASH" ]]; then + NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss.version" | jq -r .) + update-source-version cacert "$NSS_VERSION" +fi diff --git a/pkgs/development/libraries/nss/default.nix b/pkgs/development/libraries/nss/default.nix index cc9ad333d82..9153ff77616 100644 --- a/pkgs/development/libraries/nss/default.nix +++ b/pkgs/development/libraries/nss/default.nix @@ -9,6 +9,12 @@ let url = "http://dev.gentoo.org/~polynomial-c/mozilla/nss-3.15.4-pem-support-20140109.patch.xz"; sha256 = "10ibz6y0hknac15zr6dw4gv9nb5r5z9ym6gq18j3xqx7v7n3vpdw"; }; + + # NOTE: Whenever you updated this version check if the `cacert` package also + # needs an update. You can run the regular updater script for cacerts. + # It will rebuild itself using the version of this package (NSS) and if + # an update is required do the required changes to the expression. + # Example: nix-shell ./maintainers/scripts/update.nix --argstr package cacert version = "3.57"; underscoreVersion = builtins.replaceStrings ["."] ["_"] version;