git: respect $SSL_CERT_FILE

[edef1c]

This allows git to work on systems without
/etc/ssl/certs/ca-certificates.crt, such as OS X, instead of failing
with "error setting certificate verify locations".

Things done

• Tested using sandboxing (nix-build --option build-use-chroot true or nix.useChroot on NixOS)
• Built on platform(s)
  • NixOS
  • OS X
  • Linux
• Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Fits CONTRIBUTING.md.

[mention-bot]

By analyzing the blame information on this pull request, we identified @peti, @edolstra and @zimbatm to be potential reviewers

[zimbatm]

maybe put it on the top of the list since it's non-standard. the official/documented envs should override the SSL_CERT_FILE if set.

[edef1c]

Actually, this doesn't override the GIT_SSL_CAPATH, it sets ssl_capath, not ssl_cainfo, which is set below.

[zimbatm]

My bad, you're right

[zimbatm]

I think it's a good idea but would like a second opinion on this. /cc @vcunat

[edef1c]

Right now, nixpkgs.git is unusable on OS X by default without this. (also, is there so much stuff that depends on git that isn't a fixed-output derivation?)

[edef1c]

Also, while we're at it, we could get rid of the custom env var in fetchgit perhaps:

diff --git a/pkgs/build-support/fetchgit/default.nix b/pkgs/build-support/fetchgit/default.nix
index 7f98c97..9310e34 100644
--- a/pkgs/build-support/fetchgit/default.nix
+++ b/pkgs/build-support/fetchgit/default.nix
@@ -54,7 +54,7 @@ stdenv.mkDerivation {

   inherit url rev leaveDotGit fetchSubmodules deepClone branchName;

-  GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt";
+  SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";

   impureEnvVars = [
     # We borrow these environment variables from the caller to allow

[edef1c]

Any concrete requests for changes to this patch?

[zimbatm]

Nope, all good :)