Having curl fall back to openssl's CA means that we need not patch curl
to respect NIX_SSL_CERT_FILE. It will work in all the cases.
This reverts commit fb4c43dd8a "curl: Use CA bundle in nix default profile by default"
If we want to reintroduce that feature, this needs to go inside openssl
Improve patching of curl to use NIX_SSL_CERT_FILE as default CA
Remove patches from git, as git uses curl and passes its environment
variables to curl.
$NIX_SSL_CERT_FILE overrides $SSL_CERT_FILE, which in turn overrides
the default CA path (/etc/ssl/certs/ca-certificates.crt). This allows
Nix to set a CA path without interfering with other packages (such as
Homebrew).
See https://github.com/NixOS/nix/issues/921.
Note: I ignored the C++ libraries, but it appears we're not currently
using them. Once we do, we'll probably want to put them in a separate
output as well (to prevent non-C++ users from depending on Boost).
I assume there's not much use for it during bootstrapping.
This fixes them as well, as curl was compiled against libnghttp2 but the
lib wasn't copied to the bootstrap tools.
The most complex problems were from dealing with switches reverted in
the meantime (gcc5, gmp6, ncurses6).
It's likely that darwin is (still) broken nontrivially.
... after auto-removing some kinds of files by default.
In some cases I let them be removed and in others I let them be put into
$docdev. That was more due to general indecisiveness on this question
than any reasons in the particular cases.
The previous attempt to patch libcurl used
getenv("CURL_CA_BUNDLE") || getenv("SSL_CERT_FILE")
to get the second environment variable if the first is unset.
Unfortunately, this broke libcurl because the (||) operator is C returns
only 0 or 1, so it is inappropriate for pointer comparisons! Now we use
getenv("CURL_CA_BUNDLE") ? getenv("CURL_CA_BUNDLE") : getenv("SSL_CERT_FILE")
instead. This has one downside: it always calls getenv twice! But,
that's a small price to pay for actually being correct.
This version contains a security fix for CVE-2013-0249, for details please have
a look at:
http://curl.haxx.se/docs/adv_20130206.html
Thanks to @roconnor for pointing this out.
I'm pushing this to stdenv-updates because I'm not quite sure if it will break
other things because 7.29.0 is now non-blocking by default. Plus the security
vulnerability only affects IMAP, POP3 and SMTP protocol support.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cherry-picked into master, this won't change stdenv.
Signed-off-by: Shea Levy <shea@shealevy.com>
This version contains a security fix for CVE-2013-0249, for details please have
a look at:
http://curl.haxx.se/docs/adv_20130206.html
Thanks to @roconnor for pointing this out.
I'm pushing this to stdenv-updates because I'm not quite sure if it will break
other things because 7.29.0 is now non-blocking by default. Plus the security
vulnerability only affects IMAP, POP3 and SMTP protocol support.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is for consistency with terminology in stdenv (and the terms
"hostDrv" and "buildDrv" are not very intuitive, even if they're
consistent with GNU terminology).
Solves a hideous bug which affects lots of things including nix-env.
The question now is, how to rebuild everything that depends directly or indirectly on curl?
More about the underlying bug and its resolution here:
http://comments.gmane.org/gmane.comp.web.curl.library/33285
Bug looks like this:
curl google.com
curl: (7) Failed to connect to 74.125.224.35: Invalid argument
Allowing 'curl' build without some dependencies, if it is told not to build
with them.
Updating the make-bootstrap-tools for the latest gcc/glibc, removing the
dependency on klibc, and updating unpack-boostrap-tools for the latest
boostrap-tools to work.
svn path=/nixpkgs/branches/stdenv-updates/; revision=23305
This comes from:
svn diff ^/nixpkgs/trunk/@18255 ^/nixpkgs/branches/stdenv-updates/ > diff
patch -p0 < diff
and then adding into svn all files new from the patch.
trunk@18255 comes from the last time I updated stdenv-updates from trunk.
svn path=/nixpkgs/stdenv-updates2/; revision=18272
* Some fetchurl-related refactoring. The `realCurl' attribute is
gone, `curl' is the real thing. To prevent an infinite recursion in
`fetchurl' (because it depends on curl and building curl needs
fetchurl), curl and its dependencies (openssl, zlib, perl) use
`fetchurlBoot', which is the fetchurl used by the previous bootstrap
phase (e.g. the statically linked version of curl for
stdenv-linux). So as a result you can use https:// urls almost
everywhere.
There's also some hackery to prevent a different curl from being
built in every stdenv-linux bootstrap phase (namely the
stdenv.fetchurl attribute which allows fetchurl to be overriden
everywhere).
svn path=/nixpkgs/trunk/; revision=11905
* Added a patch to fix --retry in case of connection timeouts when
--connect-timeout is used. (--retry is still broken when
--connect-timeout isn't used.)
svn path=/nixpkgs/trunk/; revision=9956
dietlibc to produce small, statically linked binaries. This stdenv
also passes `-Os' to GCC automatically to optimise for size. It
also tries to prevent builders from linking against dynamic
libraries (which dietlibc doesn't support).
* A function `addAttrsToDerivation' that returns a modified stdenv
that always adds the specified attributes to the derivations that it
produces. Example (from curl):
curlDiet = import ../tools/networking/curl {
inherit fetchurl zlib;
stdenv = addAttrsToDerivation {
CFLAGS = "-DHAVE_INET_NTOA_R_2_ARGS=1";
} (useDietLibC stdenv);
};
(This is needed to get curl to build with dietlibc. Also note the
stacking of stdenv-modifying functions.)
* curl-diet: no longer necessary.
svn path=/nixpkgs/trunk/; revision=6761
* GCC 3.4.5.
* Updated several other stdenv packages.
* Modified the builders of several packages to use the generic
builder.
svn path=/nixpkgs/trunk/; revision=4336
- disable tiger, strategoxt, they don't work and give errors
- ftp.nl.kernel.org seems to have some problems, replaced with ftp.de.kernel.org
should be put back eventually
svn path=/nixpkgs/trunk/; revision=1215
* Make builders unexecutable by removing the hash-bang line and
execute permission.
* Convert calls to `derivation' to `mkDerivation'.
* Remove `system' and `stdenv' attributes from calls to
`mkDerivation'. These transformations were all done automatically,
so it is quite possible I broke stuff.
* Put the `mkDerivation' function in stdenv/generic.
svn path=/nixpkgs/trunk/; revision=874
builders for typical Autoconf-style to be much shorten, e.g.,
. $stdenv/setup
genericBuild
The generic builder does lots of stuff automatically:
- Unpacks source archives specified by $src or $srcs (it knows about
gzip, bzip2, tar, zip, and unpacked source trees).
- Determines the source tree.
- Applies patches specified by $patches.
- Fixes libtool not to search for libraries in /lib etc.
- Runs `configure'.
- Runs `make'.
- Runs `make install'.
- Strips debug information from static libraries.
- Writes nested log information (in the format accepted by
`log2xml').
There are also lots of hooks and variables to customise the generic
builder. See `stdenv/generic/docs.txt'.
* Adapted the base packages (i.e., the ones used by stdenv) to use the
generic builder.
* We now use `curl' instead of `wget' to download files in `fetchurl'.
* Neither `curl' nor `wget' are part of stdenv. We shouldn't
encourage people to download stuff in builders (impure!).
* Updated some packages.
* `buildinputs' is now `buildInputs' (but the old name also works).
* `findInputs' in the setup script now prevents inputs from being
processed multiple times (which could happen, e.g., if an input was
a propagated input of several other inputs; this caused the size
variables like $PATH to blow up exponentially in the worst case).
* Patched GNU Make to write nested log information in the format
accepted by `log2xml'. Also, prior to writing the build command,
Make now writes a line `building X' to indicate what is being
built. This is unfortunately often obscured by the gigantic tool
invocations in many Makefiles. The actual build commands are marked
`unimportant' so that they don't clutter pages generated by
`log2html'.
svn path=/nixpkgs/trunk/; revision=845