mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-21 22:43:01 +00:00
fetchPypiLegacy: Pass cacert to enable TLS verification when username/password is used
The intent was for TLS verification to be enabled when transfering credentials only, and normally disabled for long-term reproducibility. See https://github.com/nix-community/poetry2nix/issues/1740
This commit is contained in:
parent
6aad68f7ca
commit
bed19bdf39
@ -3,7 +3,8 @@
|
||||
runCommand,
|
||||
lib,
|
||||
python3,
|
||||
}:
|
||||
cacert,
|
||||
}@pkgs:
|
||||
let
|
||||
inherit (lib)
|
||||
optionalAttrs
|
||||
@ -18,7 +19,8 @@ let
|
||||
|
||||
impureEnvVars = fetchers.proxyImpureEnvVars ++ optional inPureEvalMode "NETRC";
|
||||
in
|
||||
{
|
||||
lib.makeOverridable (
|
||||
{
|
||||
# package name
|
||||
pname,
|
||||
# Package index
|
||||
@ -31,20 +33,25 @@ in
|
||||
hash,
|
||||
# allow overriding the derivation name
|
||||
name ? null,
|
||||
}:
|
||||
let
|
||||
# allow overriding cacert using src.override { cacert = cacert.override { extraCertificateFiles = [ ./path/to/cert.pem ]; }; }
|
||||
cacert ? pkgs.cacert,
|
||||
}:
|
||||
let
|
||||
urls' = urls ++ optional (url != null) url;
|
||||
|
||||
pathParts = filter ({ prefix, path }: "NETRC" == prefix) builtins.nixPath;
|
||||
netrc_file = if (pathParts != [ ]) then (head pathParts).path else "";
|
||||
|
||||
in
|
||||
# Assert that we have at least one URL
|
||||
assert urls' != [ ];
|
||||
runCommand file
|
||||
in
|
||||
# Assert that we have at least one URL
|
||||
assert urls' != [ ];
|
||||
runCommand file
|
||||
(
|
||||
{
|
||||
nativeBuildInputs = [ python3 ];
|
||||
nativeBuildInputs = [
|
||||
python3
|
||||
cacert
|
||||
];
|
||||
inherit impureEnvVars;
|
||||
outputHashMode = "flat";
|
||||
# if hash is empty select a default algo to let nix propose the actual hash.
|
||||
@ -60,3 +67,4 @@ runCommand file
|
||||
} --pname ${pname} --filename ${file}
|
||||
mv ${file} $out
|
||||
''
|
||||
)
|
||||
|
Loading…
Reference in New Issue
Block a user