Commit bed19bdf authored by adisbladis's avatar adisbladis
Browse files

fetchPypiLegacy: Pass cacert to enable TLS verification when username/password is used 

The intent was for TLS verification to be enabled when transfering credentials only, and normally disabled for long-term reproducibility.

See https://github.com/nix-community/poetry2nix/issues/1740
parent 6aad68f7

pkgs/build-support/fetchpypilegacy/default.nix

+49 −41
Original line number Diff line number Diff line
@@ -3,7 +3,8 @@ 
  runCommand,

  lib,

  python3,

}:

  cacert,

}@pkgs:

let

  inherit (lib)

    optionalAttrs
@@ -18,6 +19,7 @@ let 


  impureEnvVars = fetchers.proxyImpureEnvVars ++ optional inPureEvalMode "NETRC";

in

lib.makeOverridable (

  {

    # package name

    pname,
@@ -31,6 +33,8 @@ in 
    hash,

    # allow overriding the derivation name

    name ? null,

    # allow overriding cacert using src.override { cacert = cacert.override { extraCertificateFiles = [ ./path/to/cert.pem ]; }; }

    cacert ? pkgs.cacert,

  }:

  let

    urls' = urls ++ optional (url != null) url;
@@ -44,7 +48,10 @@ assert urls' != [ ]; 
  runCommand file

    (

      {

      nativeBuildInputs = [ python3 ];

        nativeBuildInputs = [

          python3

          cacert

        ];

        inherit impureEnvVars;

        outputHashMode = "flat";

        # if hash is empty select a default algo to let nix propose the actual hash.
@@ -60,3 +67,4 @@ runCommand file 
      } --pname ${pname} --filename ${file}

      mv ${file} $out

    ''

)