From f2e9046de511473744c394d5dbfb54ec678e0ce4 Mon Sep 17 00:00:00 2001
From: Matthew Bauer <mjbauer95@gmail.com>
Date: Tue, 9 Jun 2020 01:37:10 -0500
Subject: fetchurl: allow empty hash

Meant as a companion to https://github.com/NixOS/nix/pull/3674

This just resets outputHash if nothing is passed in.
---
 pkgs/build-support/fetchurl/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/build-support/fetchurl/default.nix b/pkgs/build-support/fetchurl/default.nix
index a0c48468dfac..39ec5bf5f2c4 100644
--- a/pkgs/build-support/fetchurl/default.nix
+++ b/pkgs/build-support/fetchurl/default.nix
@@ -112,7 +112,7 @@ let
     else if sha512 != "" then { outputHashAlgo = "sha512"; outputHash = sha512; }
     else if sha256 != "" then { outputHashAlgo = "sha256"; outputHash = sha256; }
     else if sha1   != "" then { outputHashAlgo = "sha1";   outputHash = sha1; }
-    else throw "fetchurl requires a hash for fixed-output derivation: ${lib.concatStringsSep ", " urls_}";
+    else { outputHashAlgo = "sha256"; outputHash = ""; };
 in
 
 stdenvNoCC.mkDerivation {
-- 
cgit v1.2.3


From a528cc1bcacf7bae3042e64711df3a9f0094d9c3 Mon Sep 17 00:00:00 2001
From: Matthew Bauer <mjbauer95@gmail.com>
Date: Tue, 9 Jun 2020 10:38:39 -0500
Subject: arduino: error on wrong architecture

---
 pkgs/development/arduino/arduino-core/default.nix | 33 +++++++++++------------
 1 file changed, 15 insertions(+), 18 deletions(-)

diff --git a/pkgs/development/arduino/arduino-core/default.nix b/pkgs/development/arduino/arduino-core/default.nix
index 3512dcbd2bcf..88fa384d21eb 100644
--- a/pkgs/development/arduino/arduino-core/default.nix
+++ b/pkgs/development/arduino/arduino-core/default.nix
@@ -53,10 +53,10 @@ let
     xorg.libXxf86vm
     zlib
   ];
-  teensy_architecture =
-      lib.optionalString (stdenv.hostPlatform.system == "x86_64-linux") "linux64"
-      + lib.optionalString (stdenv.hostPlatform.system == "i686-linux") "linux32"
-      + lib.optionalString (stdenv.hostPlatform.system == "arm-linux") "linuxarm";
+  teensy_architecture = if stdenv.hostPlatform.isx86_32 then "linux32"
+                        else if stdenv.hostPlatform.isx86_64 then "linux64"
+                        else if stdenv.hostPlatform.isAarch32 then "linuxarm"
+                        else throw "${stdenv.hostPlatform.system} is not supported in teensy";
 
   flavor = (if withTeensyduino then "teensyduino" else "arduino")
              + stdenv.lib.optionalString (!withGui) "-core";
@@ -75,24 +75,21 @@ stdenv.mkDerivation rec {
   teensyduino_version = "147";
   teensyduino_src = fetchurl {
     url = "https://www.pjrc.com/teensy/td_${teensyduino_version}/TeensyduinoInstall.${teensy_architecture}";
-    sha256 =
-      lib.optionalString (teensy_architecture == "linux64")
-        "09ysanip5d2f5axzd81z2l74ayng60zqhjxmxs7xa5098fff46il"
-      + lib.optionalString (teensy_architecture == "linux32")
-        "1zw3cfv2p62dwg8838vh0gd1934b18cyx7c13azvwmrpj601l0xx"
-      + lib.optionalString (teensy_architecture == "linuxarm")
-        "12421z26ksx84aldw1pq0cakh8jhs33mwafgvfij0zfgn9x0i877";
-    };
+    sha256 = {
+      linux64 = "09ysanip5d2f5axzd81z2l74ayng60zqhjxmxs7xa5098fff46il";
+      linux32 = "1zw3cfv2p62dwg8838vh0gd1934b18cyx7c13azvwmrpj601l0xx";
+      linuxarm = "12421z26ksx84aldw1pq0cakh8jhs33mwafgvfij0zfgn9x0i877";
+    }.${teensy_architecture} or (throw "No arduino binaries for ${teensy_architecture}");
+  };
   # Used because teensyduino requires jars be a specific size
   arduino_dist_src = fetchurl {
     url = "http://downloads.arduino.cc/arduino-${version}-${teensy_architecture}.tar.xz";
     sha256 =
-      lib.optionalString (teensy_architecture == "linux64")
-        "1lv4in9j0r8s0cis4zdvbk2637vlj12w69wdxgcxcrwvkcdahkpa"
-      + lib.optionalString (teensy_architecture == "linux32")
-        "0zla3a6gd9prclgrbbgsmhf8ds8zb221m65x21pvz0y1cwsdvjpm"
-      + lib.optionalString (teensy_architecture == "linuxarm")
-        "1w5m49wfd68zazli0lf3w4zykab8n7mzp3wnbjqfpx2vip80bqnz";
+      {
+        linux64 = "1lv4in9j0r8s0cis4zdvbk2637vlj12w69wdxgcxcrwvkcdahkpa";
+        linux32 = "0zla3a6gd9prclgrbbgsmhf8ds8zb221m65x21pvz0y1cwsdvjpm";
+        linuxarm = "1w5m49wfd68zazli0lf3w4zykab8n7mzp3wnbjqfpx2vip80bqnz";
+      }.${teensy_architecture} or (throw "No arduino binaries for ${teensy_architecture}");
   };
 
 
-- 
cgit v1.2.3


From 0046802ab6d3389b45f3e9fce6f5e2746e2e7f80 Mon Sep 17 00:00:00 2001
From: Matthew Bauer <mjbauer95@gmail.com>
Date: Tue, 9 Jun 2020 12:56:27 -0500
Subject: fetchurl: only allow empty hash when cacert is available
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We can use cacert to validate that the data passes SSL certificates.
Normally, this doesn’t happen because we already have the hash, but in
the hash = "" case we don’t.
---
 pkgs/build-support/fetchurl/builder.sh  |  8 +++++++-
 pkgs/build-support/fetchurl/default.nix | 11 +++++++++--
 pkgs/top-level/all-packages.nix         |  1 +
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/pkgs/build-support/fetchurl/builder.sh b/pkgs/build-support/fetchurl/builder.sh
index e93c98419a67..5b04a702aff4 100644
--- a/pkgs/build-support/fetchurl/builder.sh
+++ b/pkgs/build-support/fetchurl/builder.sh
@@ -15,8 +15,14 @@ curl=(
     --retry 3
     --disable-epsv
     --cookie-jar cookies
-    --insecure
     --user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion"
+)
+
+if ! [ -f "$SSL_CERT_FILE" ]; then
+    curl+=(--insecure)
+fi
+
+curl+=(
     $curlOpts
     $NIX_CURL_FLAGS
 )
diff --git a/pkgs/build-support/fetchurl/default.nix b/pkgs/build-support/fetchurl/default.nix
index 39ec5bf5f2c4..c65738aef41a 100644
--- a/pkgs/build-support/fetchurl/default.nix
+++ b/pkgs/build-support/fetchurl/default.nix
@@ -1,4 +1,6 @@
-{ lib, buildPackages ? { inherit stdenvNoCC; }, stdenvNoCC, curl }: # Note that `curl' may be `null', in case of the native stdenvNoCC.
+{ lib, buildPackages ? { inherit stdenvNoCC; }, stdenvNoCC
+, curl # Note that `curl' may be `null', in case of the native stdenvNoCC.
+, cacert ? null }:
 
 let
 
@@ -112,7 +114,8 @@ let
     else if sha512 != "" then { outputHashAlgo = "sha512"; outputHash = sha512; }
     else if sha256 != "" then { outputHashAlgo = "sha256"; outputHash = sha256; }
     else if sha1   != "" then { outputHashAlgo = "sha1";   outputHash = sha1; }
-    else { outputHashAlgo = "sha256"; outputHash = ""; };
+    else if cacert != null then { outputHashAlgo = "sha256"; outputHash = ""; }
+    else throw "fetchurl requires a hash for fixed-output derivation: ${lib.concatStringsSep ", " urls_}";
 in
 
 stdenvNoCC.mkDerivation {
@@ -134,6 +137,10 @@ stdenvNoCC.mkDerivation {
   # New-style output content requirements.
   inherit (hash_) outputHashAlgo outputHash;
 
+  SSL_CERT_FILE = if hash_.outputHash == ""
+                  then "${cacert}/etc/ssl/certs/ca-bundle.crt"
+                  else "/no-cert-file.crt";
+
   outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";
 
   inherit curlOpts showURLs mirrorsFile postFetch downloadToTemp executable;
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index e3a6fd640311..1b7a5ef381de 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -331,6 +331,7 @@ in
    then buildPackages.fetchurl # No need to do special overrides twice,
    else makeOverridable (import ../build-support/fetchurl) {
     inherit lib stdenvNoCC buildPackages;
+    inherit cacert;
     curl = buildPackages.curl.override (old: rec {
       # break dependency cycles
       fetchurl = stdenv.fetchurlBoot;
-- 
cgit v1.2.3