picnoir/nix-gh
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
nix-gh/scripts
History
Philip Potter 4f3cf06c97 Verify TLS certificate before downloading binaries 
The --insecure flag to curl tells curl not to bother checking if the TLS
certificate presented by the server actually matches the hostname
requested, and actually is issued by a trusted CA chain.  This almost
entirely negates any benefit from using TLS in the first place.

This removes the --insecure flag to ensure we actually have a secure
connection to the intended hostname before downloading binaries.

Manually tested locally within a dev-shell; was able to download
binaries from https://cache.nixos.org without issue.

[Note: --insecure was only used for fetching NARs, whose integrity is
verified by Nix anyway using the hash from the .narinfo. But if we can
fetch the .narinfo without --insecure, we can also fetch the .nar, so
there is not much point to using --insecure. --Eelco]
2016-01-05 14:19:46 +01:00
..
build-remote.pl.in nix-copy-closure: Add -v flag 2015-07-20 01:52:07 +02:00
copy-from-other-stores.pl.in copy-from-other-stores: Use cp 2015-06-04 14:55:40 +02:00
download-from-binary-cache.pl.in Verify TLS certificate before downloading binaries 2016-01-05 14:19:46 +01:00
download-using-manifests.pl.in Verify TLS certificate before downloading binaries 2016-01-05 14:19:46 +01:00
find-runtime-roots.pl.in Revert "Scan /proc/<pid>/cmdline for GC roots" 2013-12-20 14:18:24 +01:00
install-nix-from-closure.sh Update cacert locations 2015-06-08 11:40:35 +02:00
local.mk Add resolve-system-dependencies.pl 2015-10-21 12:38:52 -07:00
nix-build.in propagate NIX_BUILD_SHELL also in pure builds document NIX_BUILD_SHELL in the nix-shell command documentation 2016-01-05 14:11:20 +01:00
nix-channel.in Drop newline in error message 2015-08-07 05:32:17 +02:00
nix-copy-closure.in Fix bad characters in "copying 7 missing paths from ..." 2015-11-10 16:12:26 +01:00
nix-generate-patches.in Use $XDG_RUNTIME_DIR for temporary files 2014-08-13 23:12:57 +02:00
nix-http-export.cgi.in Replace wrong (w.r.t. PATH) sed call with in-shell substitution 2009-02-19 20:46:45 +00:00
nix-install-package.in nix-install-package: follow symlinks 2015-01-30 11:30:21 +01:00
nix-profile.sh.in Revert "add the manpath to the installer" 2015-07-01 13:04:15 +02:00
nix-pull.in Shut up "Wide character" warnings in Perl scripts 2014-08-29 17:48:25 +02:00
nix-push.in nix-push: Support -j 2015-06-08 14:16:06 +02:00
nix-reduce-build.in Add support for ‘make installcheck’ 2013-11-25 18:47:03 +01:00
resolve-system-dependencies.pl.in reintroduce host deps in tandem with sandbox profiles 2015-11-21 15:57:06 -08:00
show-duplication.pl * `show-duplication.pl', a small utility that shows the amount of 2006-09-19 13:53:35 +00:00