diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-07-31 01:30:15 +0200 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-07-31 01:34:58 +0200 |
commit | 55932c1beca26c7b5b7c259d95f6eb80644150a7 (patch) | |
tree | a2faafd73c3dcda7418278961a6ddf41d6d33d5c | |
parent | 23562aad59048e8e1202e618fcf402079f1593b8 (diff) | |
download | nixpkgs-55932c1beca26c7b5b7c259d95f6eb80644150a7.tar nixpkgs-55932c1beca26c7b5b7c259d95f6eb80644150a7.tar.gz nixpkgs-55932c1beca26c7b5b7c259d95f6eb80644150a7.tar.bz2 nixpkgs-55932c1beca26c7b5b7c259d95f6eb80644150a7.tar.lz nixpkgs-55932c1beca26c7b5b7c259d95f6eb80644150a7.tar.xz nixpkgs-55932c1beca26c7b5b7c259d95f6eb80644150a7.tar.zst nixpkgs-55932c1beca26c7b5b7c259d95f6eb80644150a7.zip |
Don't statically depend on cacert for certificates
This reverts commit cd52c044568bdf1108428698048a9af92dc0b625 and others. Managing certificates (including revoking certificates and adding custom certificates) becomes extremely painful if every package in the system potentially depends on a different copy of cacert. Also, it makes updating cacert rather expensive.
17 files changed, 34 insertions, 49 deletions
diff --git a/pkgs/applications/graphics/shotwell/default.nix b/pkgs/applications/graphics/shotwell/default.nix index 2b25f8d41f6..052ba9402be 100644 --- a/pkgs/applications/graphics/shotwell/default.nix +++ b/pkgs/applications/graphics/shotwell/default.nix @@ -1,7 +1,7 @@ { fetchurl, stdenv, m4, glibc, gtk3, libexif, libgphoto2, libsoup, libxml2, vala, sqlite , webkitgtk24x, pkgconfig, gnome3, gst_all_1, which, udev, libraw, glib, json_glib , gettext, desktop_file_utils, lcms2, gdk_pixbuf, librsvg, makeWrapper -, gnome_doc_utils, hicolor_icon_theme, cacert }: +, gnome_doc_utils, hicolor_icon_theme }: # for dependencies see http://www.yorba.org/projects/shotwell/install/ @@ -15,9 +15,9 @@ stdenv.mkDerivation rec { }; NIX_CFLAGS_COMPILE = "-I${glib}/include/glib-2.0 -I${glib}/lib/glib-2.0/include"; - + configureFlags = [ "--disable-gsettings-convert-install" ]; - + preConfigure = '' patchShebangs . ''; diff --git a/pkgs/applications/networking/browsers/vimb/default.nix b/pkgs/applications/networking/browsers/vimb/default.nix index 3222e87ac65..84a2870b6d0 100644 --- a/pkgs/applications/networking/browsers/vimb/default.nix +++ b/pkgs/applications/networking/browsers/vimb/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, pkgconfig, libsoup, webkit, gtk, glib_networking -, gsettings_desktop_schemas, makeWrapper, cacert +, gsettings_desktop_schemas, makeWrapper }: stdenv.mkDerivation rec { @@ -11,11 +11,6 @@ stdenv.mkDerivation rec { sha256 = "0h9m5qfs09lb0dz8a79yccmm3a5rv6z8gi5pkyfh8fqkgkh2940p"; }; - # Nixos default ca bundle - patchPhase = '' - sed -i s,/etc/ssl/certs/ca-certificates.crt,${cacert}/etc/ssl/certs/ca-bundle.crt, src/config.def.h - ''; - buildInputs = [ makeWrapper gtk libsoup pkgconfig webkit gsettings_desktop_schemas ]; makeFlags = [ "PREFIX=$(out)" ]; diff --git a/pkgs/applications/networking/browsers/vimprobable2/default.nix b/pkgs/applications/networking/browsers/vimprobable2/default.nix index ad5f8aa4691..6f8eede9b3f 100644 --- a/pkgs/applications/networking/browsers/vimprobable2/default.nix +++ b/pkgs/applications/networking/browsers/vimprobable2/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, makeWrapper, glib, glib_networking, gtk, libsoup, libX11, perl, - pkgconfig, webkit, gsettings_desktop_schemas, cacert }: + pkgconfig, webkit, gsettings_desktop_schemas }: stdenv.mkDerivation rec { version = "1.4.2"; @@ -9,11 +9,6 @@ stdenv.mkDerivation rec { sha256 = "13jdximksh9r3cgd2f8vms0pbsn3x0gxvyqdqiw16xp5fmdx5kzr"; }; - # Nixos default ca bundle - patchPhase = '' - sed -i s,/etc/ssl/certs/ca-certificates.crt,${cacert}/etc/ssl/certs/ca-bundle.crt, config.h - ''; - buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ]; installPhase = '' diff --git a/pkgs/applications/networking/cluster/panamax/api/default.nix b/pkgs/applications/networking/cluster/panamax/api/default.nix index 524433b45fb..dcfef83f1be 100644 --- a/pkgs/applications/networking/cluster/panamax/api/default.nix +++ b/pkgs/applications/networking/cluster/panamax/api/default.nix @@ -1,5 +1,5 @@ { stdenv, buildEnv, fetchgit, fetchurl, makeWrapper, bundlerEnv, bundler_HEAD -, ruby, libxslt, libxml2, sqlite, openssl, cacert, docker +, ruby, libxslt, libxml2, sqlite, openssl, docker , dataDir ? "/var/lib/panamax-api" }: with stdenv.lib; @@ -62,7 +62,7 @@ stdenv.mkDerivation rec { --prefix "PATH" : "$out/share/panamax-api/bin:${env.ruby}/bin:$PATH" \ --prefix "HOME" : "$out/share/panamax-api" \ --prefix "GEM_HOME" : "${env}/${env.ruby.gemPath}" \ - --prefix "SSL_CERT_FILE" : "${cacert}/etc/ssl/certs/ca-bundle.crt" \ + --prefix "SSL_CERT_FILE" : /etc/ssl/certs/ca-certificates.crt \ --prefix "GEM_PATH" : "$out/share/panamax-api:${bundler}/${env.ruby.gemPath}" ''; diff --git a/pkgs/applications/networking/instant-messengers/fuze/default.nix b/pkgs/applications/networking/instant-messengers/fuze/default.nix index 6b85e107d06..33ffe87a4ff 100644 --- a/pkgs/applications/networking/instant-messengers/fuze/default.nix +++ b/pkgs/applications/networking/instant-messengers/fuze/default.nix @@ -1,12 +1,12 @@ { stdenv, fetchurl, dpkg, openssl, alsaLib, libXext, libXfixes, libXrandr , libjpeg, curl, libX11, libXmu, libXv, libXtst, qt4, mesa, zlib -, gnome, libidn, rtmpdump, c-ares, openldap, makeWrapper, cacert +, gnome, libidn, rtmpdump, c-ares, openldap, makeWrapper }: assert stdenv.system == "x86_64-linux"; let curl_custom = stdenv.lib.overrideDerivation curl (args: { - configureFlags = args.configureFlags ++ ["--with-ca-bundle=${cacert}/etc/ssl/certs/ca-bundle.crt"] ; + configureFlags = args.configureFlags ++ ["--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt"] ; } ); in stdenv.mkDerivation { diff --git a/pkgs/applications/networking/instant-messengers/telepathy/gabble/default.nix b/pkgs/applications/networking/instant-messengers/telepathy/gabble/default.nix index a74885b2ce3..971a834f409 100644 --- a/pkgs/applications/networking/instant-messengers/telepathy/gabble/default.nix +++ b/pkgs/applications/networking/instant-messengers/telepathy/gabble/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, pkgconfig, libxslt, telepathy_glib, libxml2, dbus_glib, dbus_daemon -, sqlite, libsoup, libnice, gnutls, cacert }: +, sqlite, libsoup, libnice, gnutls }: stdenv.mkDerivation rec { name = "telepathy-gabble-0.18.2"; @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { buildInputs = [ libxml2 dbus_glib sqlite libsoup libnice telepathy_glib gnutls ] ++ stdenv.lib.optional doCheck dbus_daemon; - configureFlags = "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt"; + configureFlags = "--with-ca-certificates=/etc/ssl/certs/ca-certificates.crt"; enableParallelBuilding = true; doCheck = true; diff --git a/pkgs/applications/networking/irc/weechat/default.nix b/pkgs/applications/networking/irc/weechat/default.nix index c39c5be1d4c..060be8ab1eb 100644 --- a/pkgs/applications/networking/irc/weechat/default.nix +++ b/pkgs/applications/networking/irc/weechat/default.nix @@ -1,6 +1,6 @@ { stdenv, fetchurl, ncurses, openssl, perl, python, aspell, gnutls , zlib, curl , pkgconfig, libgcrypt, ruby, lua5, tcl, guile -, pythonPackages, cacert, cmake, makeWrapper, libobjc +, pythonPackages, cmake, makeWrapper, libobjc , extraBuildInputs ? [] }: stdenv.mkDerivation rec { @@ -15,11 +15,11 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses perl python openssl aspell gnutls zlib curl pkgconfig libgcrypt ruby lua5 tcl guile pythonPackages.pycrypto makeWrapper - cacert cmake ] + cmake ] ++ stdenv.lib.optionals stdenv.isDarwin [ pythonPackages.pync libobjc ] ++ extraBuildInputs; - NIX_CFLAGS_COMPILE = "-I${python}/include/${python.libPrefix} -DCA_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt"; + NIX_CFLAGS_COMPILE = "-I${python}/include/${python.libPrefix} -DCA_FILE=/etc/ssl/certs/ca-certificates.crt"; postInstall = '' NIX_PYTHONPATH="$out/lib/${python.libPrefix}/site-packages" diff --git a/pkgs/applications/version-management/bazaar/default.nix b/pkgs/applications/version-management/bazaar/default.nix index c3b238eeb0a..28406cecbb0 100644 --- a/pkgs/applications/version-management/bazaar/default.nix +++ b/pkgs/applications/version-management/bazaar/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, pythonPackages, cacert }: +{ stdenv, fetchurl, pythonPackages }: stdenv.mkDerivation rec { version = "2.6"; @@ -19,10 +19,9 @@ stdenv.mkDerivation rec { patches = [ ./add_certificates.patch ]; postPatch = '' substituteInPlace bzrlib/transport/http/_urllib2_wrappers.py \ - --subst-var-by "certPath" "${cacert}/etc/ssl/certs/ca-bundle.crt" + --subst-var-by certPath /etc/ssl/certs/ca-certificates.crt ''; - installPhase = '' python setup.py install --prefix=$out wrapPythonPrograms diff --git a/pkgs/applications/version-management/mercurial/default.nix b/pkgs/applications/version-management/mercurial/default.nix index 4d8b2fe27c6..12f3c8f11d8 100644 --- a/pkgs/applications/version-management/mercurial/default.nix +++ b/pkgs/applications/version-management/mercurial/default.nix @@ -1,6 +1,5 @@ { stdenv, fetchurl, python, makeWrapper, docutils, unzip, hg-git, dulwich -, guiSupport ? false, tk ? null, curses, cacert - +, guiSupport ? false, tk ? null, curses , ApplicationServices }: let @@ -48,7 +47,7 @@ stdenv.mkDerivation { mkdir -p $out/etc/mercurial cat >> $out/etc/mercurial/hgrc << EOF [web] - cacerts = ${cacert}/etc/ssl/certs/ca-bundle.crt + cacerts = /etc/ssl/certs/ca-certificates.crt EOF # copy hgweb.cgi to allow use in apache diff --git a/pkgs/desktops/gnome-3/3.16/core/gnome-keyring/default.nix b/pkgs/desktops/gnome-3/3.16/core/gnome-keyring/default.nix index a6621aebe43..c3f16db359e 100644 --- a/pkgs/desktops/gnome-3/3.16/core/gnome-keyring/default.nix +++ b/pkgs/desktops/gnome-3/3.16/core/gnome-keyring/default.nix @@ -1,6 +1,6 @@ { stdenv, fetchurl, pkgconfig, dbus, libgcrypt, libtasn1, pam, python, glib, libxslt , intltool, pango, gcr, gdk_pixbuf, atk, p11_kit, makeWrapper -, docbook_xsl_ns, docbook_xsl, gnome3, cacert }: +, docbook_xsl_ns, docbook_xsl, gnome3 }: let majVer = gnome3.version; @@ -22,7 +22,7 @@ in stdenv.mkDerivation rec { nativeBuildInputs = [ pkgconfig intltool docbook_xsl_ns docbook_xsl ]; configureFlags = [ - "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt" # NixOS hardcoded path + "--with-ca-certificates=/etc/ssl/certs/ca-certificates.crt" # NixOS hardcoded path "--with-pkcs11-config=$$out/etc/pkcs11/" # installation directories "--with-pkcs11-modules=$$out/lib/pkcs11/" ]; diff --git a/pkgs/desktops/gnome-3/3.16/core/rest/default.nix b/pkgs/desktops/gnome-3/3.16/core/rest/default.nix index 354f1715dc1..eada9ab1993 100644 --- a/pkgs/desktops/gnome-3/3.16/core/rest/default.nix +++ b/pkgs/desktops/gnome-3/3.16/core/rest/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, pkgconfig, glib, libsoup, gobjectIntrospection, cacert, gnome3 }: +{ stdenv, fetchurl, pkgconfig, glib, libsoup, gobjectIntrospection, gnome3 }: stdenv.mkDerivation rec { name = "rest-0.7.92"; @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig glib libsoup gobjectIntrospection]; - configureFlags = "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt"; + configureFlags = "--with-ca-certificates=/etc/ssl/certs/ca-certificates.crt"; meta = with stdenv.lib; { platforms = platforms.linux; diff --git a/pkgs/development/interpreters/elixir/default.nix b/pkgs/development/interpreters/elixir/default.nix index 99d649f3f68..c9a83774486 100644 --- a/pkgs/development/interpreters/elixir/default.nix +++ b/pkgs/development/interpreters/elixir/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, erlang, rebar, makeWrapper, coreutils, curl, bash, cacert }: +{ stdenv, fetchurl, erlang, rebar, makeWrapper, coreutils, curl, bash }: let version = "1.0.5"; @@ -32,8 +32,8 @@ stdenv.mkDerivation { b=$(basename $f) if [ $b == "mix" ]; then continue; fi wrapProgram $f \ - --prefix PATH ":" "${erlang}/bin:${coreutils}/bin:${curl}/bin:${bash}/bin" \ - --set CURL_CA_BUNDLE "${cacert}/etc/ssl/certs/ca-bundle.crt" + --prefix PATH ":" "${erlang}/bin:${coreutils}/bin:${curl}/bin:${bash}/bin" \ + --set CURL_CA_BUNDLE /etc/ssl/certs/ca-certificates.crt done ''; diff --git a/pkgs/development/libraries/glib-networking/default.nix b/pkgs/development/libraries/glib-networking/default.nix index 79b31b1365b..a17b7a21409 100644 --- a/pkgs/development/libraries/glib-networking/default.nix +++ b/pkgs/development/libraries/glib-networking/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, pkgconfig, glib, intltool, gnutls, libproxy -, gsettings_desktop_schemas, cacert }: +, gsettings_desktop_schemas }: let ver_maj = "2.44"; @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { sha256 = "8f8a340d3ba99bfdef38b653da929652ea6640e27969d29f7ac51fbbe11a4346"; }; - configureFlags = "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt"; + configureFlags = "--with-ca-certificates=/etc/ssl/certs/ca-certificates.crt"; preBuild = '' sed -e "s@${glib}/lib/gio/modules@$out/lib/gio/modules@g" -i $(find . -name Makefile) diff --git a/pkgs/servers/mail/opensmtpd/default.nix b/pkgs/servers/mail/opensmtpd/default.nix index 810012fb60a..a95a5d81ce9 100644 --- a/pkgs/servers/mail/opensmtpd/default.nix +++ b/pkgs/servers/mail/opensmtpd/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { "--with-sock-dir=/run" "--with-privsep-user=smtpd" "--with-queue-user=smtpq" - "--with-ca-file=${cacert}/etc/ssl/certs/ca-bundle.crt" + "--with-ca-file=/etc/ssl/certs/ca-certificates.crt" ]; installFlags = [ diff --git a/pkgs/tools/misc/pipelight/pipelight.patch b/pkgs/tools/misc/pipelight/pipelight.patch index bde6ecf943d..66dd0fdab4c 100644 --- a/pkgs/tools/misc/pipelight/pipelight.patch +++ b/pkgs/tools/misc/pipelight/pipelight.patch @@ -43,7 +43,7 @@ diff -urN pipelight.old/bin/pipelight-plugin.in pipelight.new/bin/pipelight-plug -fi +download_file() +{ -+ curl --cacert /etc/ssl/certs/ca-bundle.crt -o "$1" "$2" ++ curl --cacert /etc/ssl/certs/ca-certificates.crt -o "$1" "$2" +} # Use shasum instead of sha256sum on MacOS / *BSD @@ -111,7 +111,7 @@ diff -urN pipelight.old/share/install-dependency pipelight.new/share/install-dep -fi +download_file() +{ -+ curl --cacert /etc/ssl/certs/ca-bundle.crt -o "$1" "$2" ++ curl --cacert /etc/ssl/certs/ca-certificates.crt -o "$1" "$2" +} +get_download_size() +{ diff --git a/pkgs/tools/networking/aria2/default.nix b/pkgs/tools/networking/aria2/default.nix index 8d7f4541cad..e48beb3fe35 100644 --- a/pkgs/tools/networking/aria2/default.nix +++ b/pkgs/tools/networking/aria2/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, pkgconfig, cacert, c-ares, openssl, libxml2, sqlite, zlib }: +{ stdenv, fetchurl, pkgconfig, c-ares, openssl, libxml2, sqlite, zlib }: stdenv.mkDerivation rec { name = "aria2-${version}"; @@ -11,9 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig c-ares openssl libxml2 sqlite zlib ]; - propagatedBuildInputs = [ cacert ]; - - configureFlags = [ "--with-ca-bundle=${cacert}/etc/ssl/certs/ca-bundle.crt" ]; + configureFlags = [ "--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt" ]; meta = with stdenv.lib; { homepage = http://aria2.sourceforge.net/; diff --git a/pkgs/tools/security/prey/default.nix b/pkgs/tools/security/prey/default.nix index d04f48c0f31..b36c11cf934 100644 --- a/pkgs/tools/security/prey/default.nix +++ b/pkgs/tools/security/prey/default.nix @@ -1,5 +1,4 @@ -{ stdenv, fetchurl, fetchgit, curl, scrot, imagemagick, xawtv, inetutils -, makeWrapper, coreutils, cacert +{ stdenv, fetchurl, fetchgit, curl, scrot, imagemagick, xawtv, inetutils, makeWrapper, coreutils , apiKey ? "" , deviceKey ? "" }: @@ -36,7 +35,7 @@ in stdenv.mkDerivation rec { cp -R ${modulesSrc}/* $out/modules/ wrapProgram "$out/prey.sh" \ --prefix PATH ":" "${xawtv}/bin:${imagemagick}/bin:${curl}/bin:${scrot}/bin:${inetutils}/bin:${coreutils}/bin" \ - --set CURL_CA_BUNDLE "${cacert}/etc/ssl/certs/ca-bundle.crt" + --set CURL_CA_BUNDLE "/etc/ssl/certs/ca-certificates.crt" ''; meta = with stdenv.lib; { |