From 4e318bcca19e7972d1fa8b15c4eadf85e3d5a6a1 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Sun, 30 May 2021 16:54:09 +0200 Subject: [PATCH] cacerts: Make updater script aware of the nss_latest attribute Usually, on the stable channel, we have a nss_latest attribute that is more up to date than the nss attribute (which is usually frozen during branch-off and only receives security updates). Cacerts are a sensitive matter and should be updated more frequently than the stable NSS package, if required. By making the update script aware of the nss_latest attribute we can prefer that when it exists. By having this change in the unstable branch of Nixpgks we can carry it from release to release without requiring more churn from those doing the stable release maintenance. --- pkgs/data/misc/cacert/update.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pkgs/data/misc/cacert/update.sh b/pkgs/data/misc/cacert/update.sh index 7bf3d46cb02f..1c286dc6206f 100755 --- a/pkgs/data/misc/cacert/update.sh +++ b/pkgs/data/misc/cacert/update.sh @@ -12,6 +12,14 @@ # # As of this writing there are a few magnitudes more packages depending on # cacert than on nss. +# +# If the current nixpkgs revision contains the attribute `nss_latest` that will +# be used instead of `nss`. This is done to help the stable branch maintenance +# where (usually) after branch-off during the first Firefox upgrade that +# requries a new NSS version that attribute is introduced. +# By having this change in the unstable branch we can safely carry it from +# release to release without requiring more backport churn on those doing the +# stable maintenance. set -ex @@ -20,7 +28,7 @@ BASEDIR="$(dirname "$0")/../../../.." CURRENT_PATH=$(nix-build --no-out-link -A cacert.out) -PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.overrideAttrs (_: { inherit (nss) src version; })).out") +PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; let nss_pkg = pkgs.nss_latest or pkgs.nss; in (cacert.overrideAttrs (_: { inherit (nss_pkg) src version; })).out") # Check the hash of the etc subfolder # We can't check the entire output as that contains the nix-support folder