diff options
Diffstat (limited to 'infra/libkookie/nixpkgs/pkgs/data/misc/cacert')
-rw-r--r-- | infra/libkookie/nixpkgs/pkgs/data/misc/cacert/default.nix | 11 | ||||
-rwxr-xr-x | infra/libkookie/nixpkgs/pkgs/data/misc/cacert/update.sh | 34 |
2 files changed, 43 insertions, 2 deletions
diff --git a/infra/libkookie/nixpkgs/pkgs/data/misc/cacert/default.nix b/infra/libkookie/nixpkgs/pkgs/data/misc/cacert/default.nix index f72431c5a27c..34e0ec132a9f 100644 --- a/infra/libkookie/nixpkgs/pkgs/data/misc/cacert/default.nix +++ b/infra/libkookie/nixpkgs/pkgs/data/misc/cacert/default.nix @@ -13,12 +13,17 @@ let sha256 = "1d4q27j1gss0186a5m8bs5dk786w07ccyq0qi6xmd2zr1a8q16wy"; }; + version = "3.57"; + underscoreVersion = builtins.replaceStrings ["."] ["_"] version; in stdenv.mkDerivation { - name = "nss-cacert-${nss.version}"; + name = "nss-cacert-${version}"; - src = nss.src; + src = fetchurl { + url = "mirror://mozilla/security/nss/releases/NSS_${underscoreVersion}_RTM/src/nss-${version}.tar.gz"; + sha256 = "55a86c01be860381d64bb4e5b94eb198df9b0f098a8af0e58c014df398bdc382"; + }; outputs = [ "out" "unbundled" ]; @@ -60,6 +65,8 @@ stdenv.mkDerivation { setupHook = ./setup-hook.sh; + passthru.updateScript = ./update.sh; + meta = { homepage = "https://curl.haxx.se/docs/caextract.html"; description = "A bundle of X.509 certificates of public Certificate Authorities (CA)"; diff --git a/infra/libkookie/nixpkgs/pkgs/data/misc/cacert/update.sh b/infra/libkookie/nixpkgs/pkgs/data/misc/cacert/update.sh new file mode 100755 index 000000000000..7bf3d46cb02f --- /dev/null +++ b/infra/libkookie/nixpkgs/pkgs/data/misc/cacert/update.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i bash -p nix common-updater-scripts jq + +# Build both the cacert package and an overriden version where we use the source attribute of NSS. +# Cacert and NSS are both from the same upstream sources. They are decoupled as +# the cacert output only cares about a few infrequently changing files in the +# sources while the NSS source code changes frequently. +# +# By having cacert on a older source revision that produces the same +# certificate output as a newer version we can avoid large amounts of +# unnecessary rebuilds. +# +# As of this writing there are a few magnitudes more packages depending on +# cacert than on nss. + + +set -ex + +BASEDIR="$(dirname "$0")/../../../.." + + +CURRENT_PATH=$(nix-build --no-out-link -A cacert.out) +PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.overrideAttrs (_: { inherit (nss) src version; })).out") + +# Check the hash of the etc subfolder +# We can't check the entire output as that contains the nix-support folder +# which contains the output path itself. +CURRENT_HASH=$(nix-hash "$CURRENT_PATH/etc") +PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc") + +if [[ "$CURRENT_HASH" != "$PATCHED_HASH" ]]; then + NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss.version" | jq -r .) + update-source-version cacert "$NSS_VERSION" +fi |