New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix legacy relative paths including ../
#327
Fix legacy relative paths including ../
#327
Conversation
The SSL cert verification code needs to be the way it is for reasons explained in #299 (comment). It cannot be "fixed" by adding root certs. |
Apart from that I can't really judge the code here. CC @nlewo |
I read #299 now and the comments there. The reason why adding cacert is necessary is because it is currently not working the way the code portrays it should. It does try to validate certificates, hence the Passing From the documentation: "If context is specified, it must be a ssl.SSLContext instance describing the various SSL options. See HTTPSConnection for more details." I think what the code was meant to do was context = ssl.create_default_context()
context.verify_mode = ssl.CERT_NONE |
Can we perhaps make verifying certificates an opt-in (or opt-out) so that the user can control it? Shall I open a separate issue for that maybe? For my use case it is very important that certificates are verified. |
@johanwiren Regarding certificate, i'm surprised you need to verified them. It currently works like that:
So, i don't see where the threat could be: we use SSL to get the hash of the file and Nix validates this hash. Even if Nix downloads the artifact from a compromised source, the hash verification will then fails. Also, I submitted #329 to fix the SSL error you encountered (my bad, sorry). (I will also take a look at your initial issue.) |
1b8ee7c
to
16681e8
Compare
I removed the cacert fix from this PR. It only addresses handling urls containing |
@nlewo Thanks for explaining the security mechanisms in play here. As I said, I'm new to Nix, and I guess this is related to always having "reproducible builds" and I can understand the tradeoffs being made here. |
Since I've merged @nlewo's latest TLS fixes this needs rebasing. |
16681e8
to
0550a67
Compare
Rebased on master |
LGTM! |
Artifactory's pypi repositories creates links from the index pages that look something like this:
../../$package-name/$version/$artifact.$ext
. This breaks since urllib does not normalize the../
parts from the links and Artifactory does not resolve them when fetching the artifacts, leading to an unexpected 404.This PR adds support for resolving the
../
parts of the URL.It also adds thecacert
derivation into the build to allow SSL certificate verification.Nix is kind of new to me and I struggled really hard trying to write a sane test for this and failed so I'm posting this PR without tests and am open to write tests if someone can hint me how to set that up for testing this.