Don't force-break SSL applications in shells

[abbradar]

Things done

• Tested using sandboxing
  (nix.useSandbox on NixOS,
  or option build-use-sandbox in nix.conf
  on non-NixOS)
• Built on platform(s)
  • NixOS
  • OS X
  • Linux
• Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Fits CONTRIBUTING.md.

---

Fixes #13744.

[mention-bot]

By analyzing the blame information on this pull request, we identified @edolstra, @vcunat and @urkud to be potential reviewers

[peti]

Why does the generic builder set that value of $SSL_CERT_FILE at all? What is wrong with letting curl and friends use the built-in default cert file?

[abbradar]

cc @edolstra as the author of original 917ca89. I suppose there were purity issues with it because applications could get SSL bundle from the host OS X or Linux system.

[edolstra]

This change makes Nix shells less pure. Whether is desirable to have predictable SSL behaviour in nix-shell is subjective I guess.

[vcunat]

It would be best to depend on passing --pure.

[abbradar]

Yeah, it would be the best choice. I did patch this way because there's no way I know to distinguish one from another.

[vcunat]

Well, setting $SSL_CERT_FILE explicitly in your environment would achieve that (e.g. in ~/.profile), as without --pure the variable would get passed and stdenv code wouldn't touch it... but it doesn't feel like good solution either.

[vcunat]

Nitpick: the syntax seems bad.

setup: line 392: [: missing `]'

[abbradar]

Ouch! I remember running some build and stopping as soon as it got to configure (Perl, I think) but I haven't considered that it may, e.g., use its own builder. Wlll fix...

[vcunat]

It doesn't break builds. I don't know why. (I'm running on a system that includes this PR.)

[abbradar]

Hm, how have you got this message?

[vcunat]

The message is in every build log, but it doesn't make the builds fail. Perhaps just the if fails or something...

[abbradar]

Indeed,

$ [ "" = "" && "" = "" ]
bash: [: missing `]'
$ [ "" = "" ] && [ "" = "" ]
$

[abbradar]

Updated and this time the snippet was tested in a Bash terminal.

[vcunat]

Fun hack: if [ -z "$SSL_CERT_FILE$IN_NIX_SHELL" ]; then

[vcunat]

See NixOS/nix#933

[danbst]

@domenkozar @edolstra can we get this into 16.09? I just hit this on freshly deployed unstable, but didn't hit this on 16.03.

[domenkozar]

+1 for better UX on this front.

[vcunat]

This is waiting for NixOS/nix#933 and/or NixOS/nix#1027 – the latter doesn't seem catchable before 16.09, but how can I know...

[edolstra]

Well, we could do another 1.11 maintenance release with the IN_NIX_SHELL change, but since it's a potential breaking change, I'm not sure if it's a good idea...

Another possibility is to have nix-shell propagate SSL_CERT_FILE, just like it does for TZ.

[vcunat]

@edolstra: we can bump to 1.12 if you prefer. As for nixpkgs 16.09, I think we can squeeze this kind of breaking change.

[vcunat]

BTW, getting rid of perl seems quite a major change (much larger), even if it doesn't break compatibility.

[edolstra]

Sure, for 1.12 it's fine, but that's not going to be released any time soonish.

[domenkozar]

Merging to staging, hopefully we can get this one to 16.09 with minimal impact.