diff options
| author | Andreas Rammhold <andreas@rammhold.de> | 2020-11-18 15:51:51 +0100 |
|---|---|---|
| committer | Andreas Rammhold <andreas@rammhold.de> | 2020-11-18 20:13:22 +0100 |
| commit | 94448baf6d53714b249e91c150e8a7121508bf52 (patch) | |
| tree | 55e536fe599e4ab406e8c77cfcc62a122d5ed8e0 /pkgs/data/misc | |
| parent | ad0958bf7df05b97d3d09e802e3698076afa95fa (diff) | |
cacert: decouple from NSS to reduce rebuild amount
In [#100765] @vcunat pointed out that we could decouple cacert from the
NSS package to make it more rebuild friendly. Just rebuilding packages
that depend on NSS seems to be about ~100. Rebuilding all the packages
that depend on cacert is >9k as of this writing. This makes it much more
feasible to upgrade high-profile packages that are (rightfully) pedantic
on their NSS version like firefox and thunderbird.
[#100765]: https://github.com/NixOS/nixpkgs/pull/100765
Diffstat (limited to 'pkgs/data/misc')
| -rw-r--r-- | pkgs/data/misc/cacert/default.nix | 11 | ||||
| -rwxr-xr-x | pkgs/data/misc/cacert/update.sh | 34 |
2 files changed, 43 insertions, 2 deletions
diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index f72431c5a27c..34e0ec132a9f 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -13,12 +13,17 @@ let sha256 = "1d4q27j1gss0186a5m8bs5dk786w07ccyq0qi6xmd2zr1a8q16wy"; }; + version = "3.57"; + underscoreVersion = builtins.replaceStrings ["."] ["_"] version; in stdenv.mkDerivation { - name = "nss-cacert-${nss.version}"; + name = "nss-cacert-${version}"; - src = nss.src; + src = fetchurl { + url = "mirror://mozilla/security/nss/releases/NSS_${underscoreVersion}_RTM/src/nss-${version}.tar.gz"; + sha256 = "55a86c01be860381d64bb4e5b94eb198df9b0f098a8af0e58c014df398bdc382"; + }; outputs = [ "out" "unbundled" ]; @@ -60,6 +65,8 @@ stdenv.mkDerivation { setupHook = ./setup-hook.sh; + passthru.updateScript = ./update.sh; + meta = { homepage = "https://curl.haxx.se/docs/caextract.html"; description = "A bundle of X.509 certificates of public Certificate Authorities (CA)"; diff --git a/pkgs/data/misc/cacert/update.sh b/pkgs/data/misc/cacert/update.sh new file mode 100755 index 000000000000..7bf3d46cb02f --- /dev/null +++ b/pkgs/data/misc/cacert/update.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i bash -p nix common-updater-scripts jq + +# Build both the cacert package and an overriden version where we use the source attribute of NSS. +# Cacert and NSS are both from the same upstream sources. They are decoupled as +# the cacert output only cares about a few infrequently changing files in the +# sources while the NSS source code changes frequently. +# +# By having cacert on a older source revision that produces the same +# certificate output as a newer version we can avoid large amounts of +# unnecessary rebuilds. +# +# As of this writing there are a few magnitudes more packages depending on +# cacert than on nss. + + +set -ex + +BASEDIR="$(dirname "$0")/../../../.." + + +CURRENT_PATH=$(nix-build --no-out-link -A cacert.out) +PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.overrideAttrs (_: { inherit (nss) src version; })).out") + +# Check the hash of the etc subfolder +# We can't check the entire output as that contains the nix-support folder +# which contains the output path itself. +CURRENT_HASH=$(nix-hash "$CURRENT_PATH/etc") +PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc") + +if [[ "$CURRENT_HASH" != "$PATCHED_HASH" ]]; then + NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss.version" | jq -r .) + update-source-version cacert "$NSS_VERSION" +fi |