linux/make-bootstrap-tools: Add support for a real XZ and HTTPS in curl #8081
Conversation
|
This is the first set of patches in two PR's, the steps for migration are:
|
| cp -d ${openssl}/lib/*.dylib $out/lib | ||
|
|
||
| # Add ca-certs for curl verification |
There was a problem hiding this comment.
I thought bootstrap only uses fetchurl, which doesn't use certificates AFAIK (--insecure).
There was a problem hiding this comment.
Look at the next PR.
On Sun, May 31, 2015, 00:35 Vladimír Čunát [email protected] wrote:
In pkgs/stdenv/darwin/make-bootstrap-tools.nix
#8081 (comment):cp -d ${openssl}/lib/*.dylib $out/lib
# Add ca-certs for curl verificationI thought bootstrap only uses fetchurl, which doesn't use certificates
AFAIK (--insecure).—
Reply to this email directly or view it on GitHub
https://github.com/NixOS/nixpkgs/pull/8081/files#r31387744.
|
In general, I believe we should replace (most) usages of bz2 by xz. It's supposed to be significantly superior in both compression ratio and resources needed for decompression. We might even drop bzip2 from the bootstrap tarball, but there would be little gain (~150 kB). |
|
Agreed but we have to change all of those sources first. I think it's worth On Sun, May 31, 2015, 00:45 Vladimír Čunát [email protected] wrote:
|
wkennington
force-pushed
the
master.bootstrap1
branch
2 times, most recently
from
8f1c2f4 to
127184d
Compare
|
This will now need to be merged into staging as the fixes for grep require a mass rebuild. |
vcunat
added
the
1.severity: mass-rebuild
|
I built this and the 2nd PR on my ARMv7 board. Here's one more patch that's needed for the cross tools to build correctly: dezgeg@6d0f474. |
wkennington
force-pushed
the
master.bootstrap1
branch
from
1893551 to
92810ee
Compare
|
This PR is unreviewable like this, since it contains 158 commits, most of which seem unrelated to the bootstrap tools... |
|
It was a bad rebase after I Cherry picked in some stuff. I'll fix this soon. On Tue, Jul 7, 2015, 06:33 Eelco Dolstra [email protected] wrote:
|
wkennington
force-pushed
the
master.bootstrap1
branch
from
92810ee to
25b2cc5
Compare
…ols inside of bootstrap tools This makes it easier to add tools in the future and helps to minimize the amount of included libraries to the minimum without breaking executables.
This will open up options for sourcing tarballs from repositories like github as they only serve tarballs over ssl. It will also allow us to eventually verify all tls connections made by fetchurl.
wkennington
force-pushed
the
master.bootstrap1
branch
from
25b2cc5 to
b32f310
Compare
|
This won't make it into 15.09 |
|
Any news here? (I'm looking for HTTPS in fetchurl for bootstrapping perl-cross.) |
|
IMO, using/supporting HTTPS down to bootstrapping level is rather superfluous. All fetches have checked hashes, so the only use case is when you update by invalidating hash and using the one from the error message, but we would better improve that workflow instead.... |
|
No, checking certs may be superfluous but it is becoming the trend to only
|
|
Yes, exactly. perl-cross tarballs are only available over HTTPS on github. (My long-term plan is to build a small cross-system with nix, boot it in Qemu and native compile from there.) |
|
Oh, I see. I know some people want to completely abolish unencrypted transfers. |
This change makes bootstrap-tools.tar.xz 500k larger which should be inconsequential given that bootstrap-tools is already 26MB. It also reduces the overall size of the bootstrap-tools tarball by dynamically determining what libraries it needs to include at build time. Note this is the first of 2 PR's