builtin:fetchurl: Enable TLS verification

This is better for privacy and to avoid leaking netrc credentials in a MITM attack, but also the assumption that we check the hash no longer holds in some cases (in particular for impure derivations). Partially reverts 5db358d4d7. (cherry picked from commit c04bc17a5a)
2024-11-21 22:32:26 +00:00 · 2024-09-23 15:09:44 +02:00 · 2024-09-23 15:09:44 +02:00 · 7e46d4077a
commit 7e46d4077a
parent 0969e6375c
1 changed files with 0 additions and 3 deletions
--- a/src/libstore/builtins/fetchurl.cc
+++ b/src/libstore/builtins/fetchurl.cc
@ -41,10 +41,7 @@ void builtinFetchurl(const BasicDerivation & drv, const std::string & netrcData)

        auto source = sinkToSource([&](Sink & sink) {

-            /* No need to do TLS verification, because we check the hash of
-               the result anyway. */
            FileTransferRequest request(url);
-            request.verifyTLS = false;
            request.decompress = false;

            auto decompressor = makeDecompressionSink(