From 8e773802506eb620d90921497d7ce2bcf62ad149 Mon Sep 17 00:00:00 2001 From: ajs124 Date: Thu, 31 Mar 2022 21:42:08 +0200 Subject: [PATCH] cacert: 3.74 -> 3.77 --- pkgs/data/misc/cacert/default.nix | 4 ++-- pkgs/data/misc/cacert/update.sh | 17 +++++++---------- 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index 4d79521c255c..ecd8a1c3dfd3 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -20,7 +20,7 @@ let blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist); extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings); - srcVersion = "3.74"; + srcVersion = "3.77"; version = if nssOverride != null then nssOverride.version else srcVersion; meta = with lib; { homepage = "https://curl.haxx.se/docs/caextract.html"; @@ -35,7 +35,7 @@ let src = if nssOverride != null then nssOverride.src else fetchurl { url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz"; - sha256 = "0mnhdkm4galhpvfz4rv0918jwmjlwkvcvb1f5va8f3zlz48qi4l8"; + sha256 = "1pfy33b51914sivqyaxdwfd930hzb77gm07z4f57hnyk5xddypl2"; }; dontBuild = true; diff --git a/pkgs/data/misc/cacert/update.sh b/pkgs/data/misc/cacert/update.sh index 72d581b9650f..9ad5ede0f7ef 100755 --- a/pkgs/data/misc/cacert/update.sh +++ b/pkgs/data/misc/cacert/update.sh @@ -13,14 +13,11 @@ # As of this writing there are a few magnitudes more packages depending on # cacert than on nss. # -# If the current nixpkgs revision contains the attribute `nss_latest` that will -# be used instead of `nss`. This is done to help the stable branch maintenance -# where (usually) after branch-off during the first Firefox upgrade that -# requries a new NSS version that attribute is introduced. -# By having this change in the unstable branch we can safely carry it from -# release to release without requiring more backport churn on those doing the -# stable maintenance. - +# We use `nss_latest` instead of `nss_esr`, because that is the newer version +# and we want up-to-date certificates. +# `nss_esr` is used for the ecosystem at large through the `nss` attribute, +# because it is updated less frequently and maintained for longer, whereas `nss_latest` +# is used for software that actually needs a new nss, e.g. Firefox. set -ex @@ -28,7 +25,7 @@ BASEDIR="$(dirname "$0")/../../../.." CURRENT_PATH=$(nix-build --no-out-link -A cacert.out) -PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; let nss_pkg = pkgs.nss_latest or pkgs.nss; in (cacert.override { nssOverride = nss_pkg; }).out") +PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.override { nssOverride = nss_latest; }).out") # Check the hash of the etc subfolder # We can't check the entire output as that contains the nix-support folder @@ -37,6 +34,6 @@ CURRENT_HASH=$(nix-hash "$CURRENT_PATH/etc") PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc") if [[ "$CURRENT_HASH" != "$PATCHED_HASH" ]]; then - NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss.version" | jq -r .) + NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss_latest.version" | jq -r .) update-source-version --version-key=srcVersion cacert.src "$NSS_VERSION" fi