From 55932c1beca26c7b5b7c259d95f6eb80644150a7 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 31 Jul 2015 01:30:15 +0200 Subject: [PATCH] Don't statically depend on cacert for certificates This reverts commit cd52c044568bdf1108428698048a9af92dc0b625 and others. Managing certificates (including revoking certificates and adding custom certificates) becomes extremely painful if every package in the system potentially depends on a different copy of cacert. Also, it makes updating cacert rather expensive. --- pkgs/applications/graphics/shotwell/default.nix | 6 +++--- pkgs/applications/networking/browsers/vimb/default.nix | 7 +------ .../networking/browsers/vimprobable2/default.nix | 7 +------ .../networking/cluster/panamax/api/default.nix | 4 ++-- .../networking/instant-messengers/fuze/default.nix | 4 ++-- .../instant-messengers/telepathy/gabble/default.nix | 4 ++-- pkgs/applications/networking/irc/weechat/default.nix | 6 +++--- pkgs/applications/version-management/bazaar/default.nix | 5 ++--- pkgs/applications/version-management/mercurial/default.nix | 5 ++--- pkgs/desktops/gnome-3/3.16/core/gnome-keyring/default.nix | 4 ++-- pkgs/desktops/gnome-3/3.16/core/rest/default.nix | 4 ++-- pkgs/development/interpreters/elixir/default.nix | 6 +++--- pkgs/development/libraries/glib-networking/default.nix | 4 ++-- pkgs/servers/mail/opensmtpd/default.nix | 2 +- pkgs/tools/misc/pipelight/pipelight.patch | 4 ++-- pkgs/tools/networking/aria2/default.nix | 6 ++---- pkgs/tools/security/prey/default.nix | 5 ++--- 17 files changed, 34 insertions(+), 49 deletions(-) diff --git a/pkgs/applications/graphics/shotwell/default.nix b/pkgs/applications/graphics/shotwell/default.nix index 2b25f8d41f6b..052ba9402bed 100644 --- a/pkgs/applications/graphics/shotwell/default.nix +++ b/pkgs/applications/graphics/shotwell/default.nix @@ -1,7 +1,7 @@ { fetchurl, stdenv, m4, glibc, gtk3, libexif, libgphoto2, libsoup, libxml2, vala, sqlite , webkitgtk24x, pkgconfig, gnome3, gst_all_1, which, udev, libraw, glib, json_glib , gettext, desktop_file_utils, lcms2, gdk_pixbuf, librsvg, makeWrapper -, gnome_doc_utils, hicolor_icon_theme, cacert }: +, gnome_doc_utils, hicolor_icon_theme }: # for dependencies see http://www.yorba.org/projects/shotwell/install/ @@ -15,9 +15,9 @@ stdenv.mkDerivation rec { }; NIX_CFLAGS_COMPILE = "-I${glib}/include/glib-2.0 -I${glib}/lib/glib-2.0/include"; - + configureFlags = [ "--disable-gsettings-convert-install" ]; - + preConfigure = '' patchShebangs . ''; diff --git a/pkgs/applications/networking/browsers/vimb/default.nix b/pkgs/applications/networking/browsers/vimb/default.nix index 3222e87ac650..84a2870b6d0a 100644 --- a/pkgs/applications/networking/browsers/vimb/default.nix +++ b/pkgs/applications/networking/browsers/vimb/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, pkgconfig, libsoup, webkit, gtk, glib_networking -, gsettings_desktop_schemas, makeWrapper, cacert +, gsettings_desktop_schemas, makeWrapper }: stdenv.mkDerivation rec { @@ -11,11 +11,6 @@ stdenv.mkDerivation rec { sha256 = "0h9m5qfs09lb0dz8a79yccmm3a5rv6z8gi5pkyfh8fqkgkh2940p"; }; - # Nixos default ca bundle - patchPhase = '' - sed -i s,/etc/ssl/certs/ca-certificates.crt,${cacert}/etc/ssl/certs/ca-bundle.crt, src/config.def.h - ''; - buildInputs = [ makeWrapper gtk libsoup pkgconfig webkit gsettings_desktop_schemas ]; makeFlags = [ "PREFIX=$(out)" ]; diff --git a/pkgs/applications/networking/browsers/vimprobable2/default.nix b/pkgs/applications/networking/browsers/vimprobable2/default.nix index ad5f8aa46912..6f8eede9b3f8 100644 --- a/pkgs/applications/networking/browsers/vimprobable2/default.nix +++ b/pkgs/applications/networking/browsers/vimprobable2/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, makeWrapper, glib, glib_networking, gtk, libsoup, libX11, perl, - pkgconfig, webkit, gsettings_desktop_schemas, cacert }: + pkgconfig, webkit, gsettings_desktop_schemas }: stdenv.mkDerivation rec { version = "1.4.2"; @@ -9,11 +9,6 @@ stdenv.mkDerivation rec { sha256 = "13jdximksh9r3cgd2f8vms0pbsn3x0gxvyqdqiw16xp5fmdx5kzr"; }; - # Nixos default ca bundle - patchPhase = '' - sed -i s,/etc/ssl/certs/ca-certificates.crt,${cacert}/etc/ssl/certs/ca-bundle.crt, config.h - ''; - buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ]; installPhase = '' diff --git a/pkgs/applications/networking/cluster/panamax/api/default.nix b/pkgs/applications/networking/cluster/panamax/api/default.nix index 524433b45fbc..dcfef83f1bec 100644 --- a/pkgs/applications/networking/cluster/panamax/api/default.nix +++ b/pkgs/applications/networking/cluster/panamax/api/default.nix @@ -1,5 +1,5 @@ { stdenv, buildEnv, fetchgit, fetchurl, makeWrapper, bundlerEnv, bundler_HEAD -, ruby, libxslt, libxml2, sqlite, openssl, cacert, docker +, ruby, libxslt, libxml2, sqlite, openssl, docker , dataDir ? "/var/lib/panamax-api" }: with stdenv.lib; @@ -62,7 +62,7 @@ stdenv.mkDerivation rec { --prefix "PATH" : "$out/share/panamax-api/bin:${env.ruby}/bin:$PATH" \ --prefix "HOME" : "$out/share/panamax-api" \ --prefix "GEM_HOME" : "${env}/${env.ruby.gemPath}" \ - --prefix "SSL_CERT_FILE" : "${cacert}/etc/ssl/certs/ca-bundle.crt" \ + --prefix "SSL_CERT_FILE" : /etc/ssl/certs/ca-certificates.crt \ --prefix "GEM_PATH" : "$out/share/panamax-api:${bundler}/${env.ruby.gemPath}" ''; diff --git a/pkgs/applications/networking/instant-messengers/fuze/default.nix b/pkgs/applications/networking/instant-messengers/fuze/default.nix index 6b85e107d06c..33ffe87a4ffb 100644 --- a/pkgs/applications/networking/instant-messengers/fuze/default.nix +++ b/pkgs/applications/networking/instant-messengers/fuze/default.nix @@ -1,12 +1,12 @@ { stdenv, fetchurl, dpkg, openssl, alsaLib, libXext, libXfixes, libXrandr , libjpeg, curl, libX11, libXmu, libXv, libXtst, qt4, mesa, zlib -, gnome, libidn, rtmpdump, c-ares, openldap, makeWrapper, cacert +, gnome, libidn, rtmpdump, c-ares, openldap, makeWrapper }: assert stdenv.system == "x86_64-linux"; let curl_custom = stdenv.lib.overrideDerivation curl (args: { - configureFlags = args.configureFlags ++ ["--with-ca-bundle=${cacert}/etc/ssl/certs/ca-bundle.crt"] ; + configureFlags = args.configureFlags ++ ["--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt"] ; } ); in stdenv.mkDerivation { diff --git a/pkgs/applications/networking/instant-messengers/telepathy/gabble/default.nix b/pkgs/applications/networking/instant-messengers/telepathy/gabble/default.nix index a74885b2ce30..971a834f4096 100644 --- a/pkgs/applications/networking/instant-messengers/telepathy/gabble/default.nix +++ b/pkgs/applications/networking/instant-messengers/telepathy/gabble/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, pkgconfig, libxslt, telepathy_glib, libxml2, dbus_glib, dbus_daemon -, sqlite, libsoup, libnice, gnutls, cacert }: +, sqlite, libsoup, libnice, gnutls }: stdenv.mkDerivation rec { name = "telepathy-gabble-0.18.2"; @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { buildInputs = [ libxml2 dbus_glib sqlite libsoup libnice telepathy_glib gnutls ] ++ stdenv.lib.optional doCheck dbus_daemon; - configureFlags = "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt"; + configureFlags = "--with-ca-certificates=/etc/ssl/certs/ca-certificates.crt"; enableParallelBuilding = true; doCheck = true; diff --git a/pkgs/applications/networking/irc/weechat/default.nix b/pkgs/applications/networking/irc/weechat/default.nix index c39c5be1d4ca..060be8ab1eb1 100644 --- a/pkgs/applications/networking/irc/weechat/default.nix +++ b/pkgs/applications/networking/irc/weechat/default.nix @@ -1,6 +1,6 @@ { stdenv, fetchurl, ncurses, openssl, perl, python, aspell, gnutls , zlib, curl , pkgconfig, libgcrypt, ruby, lua5, tcl, guile -, pythonPackages, cacert, cmake, makeWrapper, libobjc +, pythonPackages, cmake, makeWrapper, libobjc , extraBuildInputs ? [] }: stdenv.mkDerivation rec { @@ -15,11 +15,11 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses perl python openssl aspell gnutls zlib curl pkgconfig libgcrypt ruby lua5 tcl guile pythonPackages.pycrypto makeWrapper - cacert cmake ] + cmake ] ++ stdenv.lib.optionals stdenv.isDarwin [ pythonPackages.pync libobjc ] ++ extraBuildInputs; - NIX_CFLAGS_COMPILE = "-I${python}/include/${python.libPrefix} -DCA_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt"; + NIX_CFLAGS_COMPILE = "-I${python}/include/${python.libPrefix} -DCA_FILE=/etc/ssl/certs/ca-certificates.crt"; postInstall = '' NIX_PYTHONPATH="$out/lib/${python.libPrefix}/site-packages" diff --git a/pkgs/applications/version-management/bazaar/default.nix b/pkgs/applications/version-management/bazaar/default.nix index c3b238eeb0aa..28406cecbb00 100644 --- a/pkgs/applications/version-management/bazaar/default.nix +++ b/pkgs/applications/version-management/bazaar/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, pythonPackages, cacert }: +{ stdenv, fetchurl, pythonPackages }: stdenv.mkDerivation rec { version = "2.6"; @@ -19,10 +19,9 @@ stdenv.mkDerivation rec { patches = [ ./add_certificates.patch ]; postPatch = '' substituteInPlace bzrlib/transport/http/_urllib2_wrappers.py \ - --subst-var-by "certPath" "${cacert}/etc/ssl/certs/ca-bundle.crt" + --subst-var-by certPath /etc/ssl/certs/ca-certificates.crt ''; - installPhase = '' python setup.py install --prefix=$out wrapPythonPrograms diff --git a/pkgs/applications/version-management/mercurial/default.nix b/pkgs/applications/version-management/mercurial/default.nix index 4d8b2fe27c60..12f3c8f11d86 100644 --- a/pkgs/applications/version-management/mercurial/default.nix +++ b/pkgs/applications/version-management/mercurial/default.nix @@ -1,6 +1,5 @@ { stdenv, fetchurl, python, makeWrapper, docutils, unzip, hg-git, dulwich -, guiSupport ? false, tk ? null, curses, cacert - +, guiSupport ? false, tk ? null, curses , ApplicationServices }: let @@ -48,7 +47,7 @@ stdenv.mkDerivation { mkdir -p $out/etc/mercurial cat >> $out/etc/mercurial/hgrc << EOF [web] - cacerts = ${cacert}/etc/ssl/certs/ca-bundle.crt + cacerts = /etc/ssl/certs/ca-certificates.crt EOF # copy hgweb.cgi to allow use in apache diff --git a/pkgs/desktops/gnome-3/3.16/core/gnome-keyring/default.nix b/pkgs/desktops/gnome-3/3.16/core/gnome-keyring/default.nix index a6621aebe432..c3f16db359e5 100644 --- a/pkgs/desktops/gnome-3/3.16/core/gnome-keyring/default.nix +++ b/pkgs/desktops/gnome-3/3.16/core/gnome-keyring/default.nix @@ -1,6 +1,6 @@ { stdenv, fetchurl, pkgconfig, dbus, libgcrypt, libtasn1, pam, python, glib, libxslt , intltool, pango, gcr, gdk_pixbuf, atk, p11_kit, makeWrapper -, docbook_xsl_ns, docbook_xsl, gnome3, cacert }: +, docbook_xsl_ns, docbook_xsl, gnome3 }: let majVer = gnome3.version; @@ -22,7 +22,7 @@ in stdenv.mkDerivation rec { nativeBuildInputs = [ pkgconfig intltool docbook_xsl_ns docbook_xsl ]; configureFlags = [ - "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt" # NixOS hardcoded path + "--with-ca-certificates=/etc/ssl/certs/ca-certificates.crt" # NixOS hardcoded path "--with-pkcs11-config=$$out/etc/pkcs11/" # installation directories "--with-pkcs11-modules=$$out/lib/pkcs11/" ]; diff --git a/pkgs/desktops/gnome-3/3.16/core/rest/default.nix b/pkgs/desktops/gnome-3/3.16/core/rest/default.nix index 354f1715dc19..eada9ab19934 100644 --- a/pkgs/desktops/gnome-3/3.16/core/rest/default.nix +++ b/pkgs/desktops/gnome-3/3.16/core/rest/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, pkgconfig, glib, libsoup, gobjectIntrospection, cacert, gnome3 }: +{ stdenv, fetchurl, pkgconfig, glib, libsoup, gobjectIntrospection, gnome3 }: stdenv.mkDerivation rec { name = "rest-0.7.92"; @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig glib libsoup gobjectIntrospection]; - configureFlags = "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt"; + configureFlags = "--with-ca-certificates=/etc/ssl/certs/ca-certificates.crt"; meta = with stdenv.lib; { platforms = platforms.linux; diff --git a/pkgs/development/interpreters/elixir/default.nix b/pkgs/development/interpreters/elixir/default.nix index 99d649f3f684..c9a837744868 100644 --- a/pkgs/development/interpreters/elixir/default.nix +++ b/pkgs/development/interpreters/elixir/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, erlang, rebar, makeWrapper, coreutils, curl, bash, cacert }: +{ stdenv, fetchurl, erlang, rebar, makeWrapper, coreutils, curl, bash }: let version = "1.0.5"; @@ -32,8 +32,8 @@ stdenv.mkDerivation { b=$(basename $f) if [ $b == "mix" ]; then continue; fi wrapProgram $f \ - --prefix PATH ":" "${erlang}/bin:${coreutils}/bin:${curl}/bin:${bash}/bin" \ - --set CURL_CA_BUNDLE "${cacert}/etc/ssl/certs/ca-bundle.crt" + --prefix PATH ":" "${erlang}/bin:${coreutils}/bin:${curl}/bin:${bash}/bin" \ + --set CURL_CA_BUNDLE /etc/ssl/certs/ca-certificates.crt done ''; diff --git a/pkgs/development/libraries/glib-networking/default.nix b/pkgs/development/libraries/glib-networking/default.nix index 79b31b1365b7..a17b7a21409b 100644 --- a/pkgs/development/libraries/glib-networking/default.nix +++ b/pkgs/development/libraries/glib-networking/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, pkgconfig, glib, intltool, gnutls, libproxy -, gsettings_desktop_schemas, cacert }: +, gsettings_desktop_schemas }: let ver_maj = "2.44"; @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { sha256 = "8f8a340d3ba99bfdef38b653da929652ea6640e27969d29f7ac51fbbe11a4346"; }; - configureFlags = "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt"; + configureFlags = "--with-ca-certificates=/etc/ssl/certs/ca-certificates.crt"; preBuild = '' sed -e "s@${glib}/lib/gio/modules@$out/lib/gio/modules@g" -i $(find . -name Makefile) diff --git a/pkgs/servers/mail/opensmtpd/default.nix b/pkgs/servers/mail/opensmtpd/default.nix index 810012fb60ad..a95a5d81ce95 100644 --- a/pkgs/servers/mail/opensmtpd/default.nix +++ b/pkgs/servers/mail/opensmtpd/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { "--with-sock-dir=/run" "--with-privsep-user=smtpd" "--with-queue-user=smtpq" - "--with-ca-file=${cacert}/etc/ssl/certs/ca-bundle.crt" + "--with-ca-file=/etc/ssl/certs/ca-certificates.crt" ]; installFlags = [ diff --git a/pkgs/tools/misc/pipelight/pipelight.patch b/pkgs/tools/misc/pipelight/pipelight.patch index bde6ecf943d9..66dd0fdab4c0 100644 --- a/pkgs/tools/misc/pipelight/pipelight.patch +++ b/pkgs/tools/misc/pipelight/pipelight.patch @@ -43,7 +43,7 @@ diff -urN pipelight.old/bin/pipelight-plugin.in pipelight.new/bin/pipelight-plug -fi +download_file() +{ -+ curl --cacert /etc/ssl/certs/ca-bundle.crt -o "$1" "$2" ++ curl --cacert /etc/ssl/certs/ca-certificates.crt -o "$1" "$2" +} # Use shasum instead of sha256sum on MacOS / *BSD @@ -111,7 +111,7 @@ diff -urN pipelight.old/share/install-dependency pipelight.new/share/install-dep -fi +download_file() +{ -+ curl --cacert /etc/ssl/certs/ca-bundle.crt -o "$1" "$2" ++ curl --cacert /etc/ssl/certs/ca-certificates.crt -o "$1" "$2" +} +get_download_size() +{ diff --git a/pkgs/tools/networking/aria2/default.nix b/pkgs/tools/networking/aria2/default.nix index 8d7f4541cade..e48beb3fe35b 100644 --- a/pkgs/tools/networking/aria2/default.nix +++ b/pkgs/tools/networking/aria2/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, pkgconfig, cacert, c-ares, openssl, libxml2, sqlite, zlib }: +{ stdenv, fetchurl, pkgconfig, c-ares, openssl, libxml2, sqlite, zlib }: stdenv.mkDerivation rec { name = "aria2-${version}"; @@ -11,9 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig c-ares openssl libxml2 sqlite zlib ]; - propagatedBuildInputs = [ cacert ]; - - configureFlags = [ "--with-ca-bundle=${cacert}/etc/ssl/certs/ca-bundle.crt" ]; + configureFlags = [ "--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt" ]; meta = with stdenv.lib; { homepage = http://aria2.sourceforge.net/; diff --git a/pkgs/tools/security/prey/default.nix b/pkgs/tools/security/prey/default.nix index d04f48c0f313..b36c11cf9345 100644 --- a/pkgs/tools/security/prey/default.nix +++ b/pkgs/tools/security/prey/default.nix @@ -1,5 +1,4 @@ -{ stdenv, fetchurl, fetchgit, curl, scrot, imagemagick, xawtv, inetutils -, makeWrapper, coreutils, cacert +{ stdenv, fetchurl, fetchgit, curl, scrot, imagemagick, xawtv, inetutils, makeWrapper, coreutils , apiKey ? "" , deviceKey ? "" }: @@ -36,7 +35,7 @@ in stdenv.mkDerivation rec { cp -R ${modulesSrc}/* $out/modules/ wrapProgram "$out/prey.sh" \ --prefix PATH ":" "${xawtv}/bin:${imagemagick}/bin:${curl}/bin:${scrot}/bin:${inetutils}/bin:${coreutils}/bin" \ - --set CURL_CA_BUNDLE "${cacert}/etc/ssl/certs/ca-bundle.crt" + --set CURL_CA_BUNDLE "/etc/ssl/certs/ca-certificates.crt" ''; meta = with stdenv.lib; {