cacert: 3.74 -> 3.77

This commit is contained in:
ajs124 2022-03-31 21:42:08 +02:00
parent eb9c616c79
commit 8e77380250
2 changed files with 9 additions and 12 deletions

View file

@ -20,7 +20,7 @@ let
blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist);
extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings);
srcVersion = "3.74";
srcVersion = "3.77";
version = if nssOverride != null then nssOverride.version else srcVersion;
meta = with lib; {
homepage = "https://curl.haxx.se/docs/caextract.html";
@ -35,7 +35,7 @@ let
src = if nssOverride != null then nssOverride.src else fetchurl {
url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz";
sha256 = "0mnhdkm4galhpvfz4rv0918jwmjlwkvcvb1f5va8f3zlz48qi4l8";
sha256 = "1pfy33b51914sivqyaxdwfd930hzb77gm07z4f57hnyk5xddypl2";
};
dontBuild = true;

View file

@ -13,14 +13,11 @@
# As of this writing there are a few magnitudes more packages depending on
# cacert than on nss.
#
# If the current nixpkgs revision contains the attribute `nss_latest` that will
# be used instead of `nss`. This is done to help the stable branch maintenance
# where (usually) after branch-off during the first Firefox upgrade that
# requries a new NSS version that attribute is introduced.
# By having this change in the unstable branch we can safely carry it from
# release to release without requiring more backport churn on those doing the
# stable maintenance.
# We use `nss_latest` instead of `nss_esr`, because that is the newer version
# and we want up-to-date certificates.
# `nss_esr` is used for the ecosystem at large through the `nss` attribute,
# because it is updated less frequently and maintained for longer, whereas `nss_latest`
# is used for software that actually needs a new nss, e.g. Firefox.
set -ex
@ -28,7 +25,7 @@ BASEDIR="$(dirname "$0")/../../../.."
CURRENT_PATH=$(nix-build --no-out-link -A cacert.out)
PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; let nss_pkg = pkgs.nss_latest or pkgs.nss; in (cacert.override { nssOverride = nss_pkg; }).out")
PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.override { nssOverride = nss_latest; }).out")
# Check the hash of the etc subfolder
# We can't check the entire output as that contains the nix-support folder
@ -37,6 +34,6 @@ CURRENT_HASH=$(nix-hash "$CURRENT_PATH/etc")
PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc")
if [[ "$CURRENT_HASH" != "$PATCHED_HASH" ]]; then
NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss.version" | jq -r .)
NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss_latest.version" | jq -r .)
update-source-version --version-key=srcVersion cacert.src "$NSS_VERSION"
fi