Backport #11610 to 2.19 maintenance #11693
Merged
Commits on Oct 14, 2024
-
-
fix passing CA files into builtins:fetchurl sandbox
This patch has been manually adapted from lix-project/lix@14dc84e Tested with: $ NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }' warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=' this derivation will be built: /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'... error: … writing file '/nix/store/0zynn4n8yx59bczy1mgh1lq2rnprvvrc-google.com' error: unable to download 'https://google.com': Problem with the SSL CA cert (path? access rights?) (77) error: builder for '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv' failed with exit code 1 Now returns: nix-env % NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }' this derivation will be built: /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'... error: hash mismatch in fixed-output derivation '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv': specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= got: sha256-5xXEhGtnRdopaUTqaz2M1o2NE7ovhU0SjcSOPwntqwY= (cherry picked from commit 1fbdf40)
-
tests/nixos/fetchurl: drop unused variables
(cherry picked from commit de9946c)
-
Fix the access of symlinks to host files in the sandbox
#10456 fixed the addition of symlink store paths to the sandbox, but also made it so that the hardcoded sandbox paths (like `/etc/hosts`) were now bind-mounted without following the possible symlinks. This made these files unreadable if there were symlinks (because the sandbox would now contain a symlink to an unreachable file rather than the underlying file). In particular, this broke FOD derivations on NixOS as `/etc/hosts` is a symlink there. Fix that by canonicalizing all these hardcoded sandbox paths before adding them to the sandbox. (cherry picked from commit acbb152)
-
Test the inclusion of transitive symlinks in the sandbox
(cherry picked from commit cef677d)
-
feat: better warning for common SSL errors
(cherry picked from commit 3e5bf90)
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.