mirror of
https://github.com/NixOS/nix.git
synced 2024-11-25 16:23:02 +00:00
builtin:fetchurl: Enable TLS verification
This is better for privacy and to avoid leaking netrc credentials in a MITM attack, but also the assumption that we check the hash no longer holds in some cases (in particular for impure derivations). Partially reverts5db358d4d7
. (cherry picked from commitc04bc17a5a
)
This commit is contained in:
parent
691f67d83e
commit
c65ce6c6ec
@ -34,10 +34,7 @@ void builtinFetchurl(const BasicDerivation & drv, const std::string & netrcData)
|
|||||||
|
|
||||||
auto source = sinkToSource([&](Sink & sink) {
|
auto source = sinkToSource([&](Sink & sink) {
|
||||||
|
|
||||||
/* No need to do TLS verification, because we check the hash of
|
|
||||||
the result anyway. */
|
|
||||||
FileTransferRequest request(url);
|
FileTransferRequest request(url);
|
||||||
request.verifyTLS = false;
|
|
||||||
request.decompress = false;
|
request.decompress = false;
|
||||||
|
|
||||||
auto decompressor = makeDecompressionSink(
|
auto decompressor = makeDecompressionSink(
|
||||||
|
Loading…
Reference in New Issue
Block a user