| 18 Nov 2025 |
 WeetHet | Yeah, without unset SSL_CERT_FILE it fails even without sandbox:
❯ nix-build -A default --log-format multiline-with-logs --option sandbox false
this derivation will be built:
/nix/store/m2cc2n43cr6gyn3gbkx094c27kjzrhnv-fetched-content.drv
building '/nix/store/m2cc2n43cr6gyn3gbkx094c27kjzrhnv-fetched-content.drv'...
fetched-content> Error: reqwest::Error { kind: Request, url: "https://dummyjson.com/test", source: hyper_util::client::legacy::Error(Connect, Custom { kind: Other, error: Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) } }) }
error: builder for '/nix/store/m2cc2n43cr6gyn3gbkx094c27kjzrhnv-fetched-content.drv' failed with exit code 1;
last 1 log lines:
> Error: reqwest::Error { kind: Request, url: "https://dummyjson.com/test", source: hyper_util::client::legacy::Error(Connect, Custom { kind: Other, error: Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) } }) }
For full logs, run:
nix-store -l /nix/store/m2cc2n43cr6gyn3gbkx094c27kjzrhnv-fetched-content.drv
| 22:37:48 |
| WeetHet | At least native certs are fixed | 22:44:38 |
| WeetHet | Yippee.png | 22:45:08 |
 Randy Eckenrode | I really hate LLVM’s command-line parsing. | 23:41:31 |
| 19 Nov 2025 |
|  dave :3 joined the room. | 00:21:21 |
| WeetHet | I don't understand the purpose of
https://github.com/NixOS/nixpkgs/blob/0157c02bf5c109b712e8373e21b516828ca3bed5/pkgs/stdenv/generic/setup.sh#L997-L1005
# Prevent SSL libraries from using certificates in /etc/ssl, unless set explicitly.
# Leave it in impure shells for convenience.
if [[ -z "${NIX_SSL_CERT_FILE:-}" && "${IN_NIX_SHELL:-}" != "impure" ]]; then
export NIX_SSL_CERT_FILE=/no-cert-file.crt
fi
# Another variant left for compatibility.
if [[ -z "${SSL_CERT_FILE:-}" && "${IN_NIX_SHELL:-}" != "impure" ]]; then
export SSL_CERT_FILE=/no-cert-file.crt
fi
We have sandbox to ensure that people use exactly what we provide to them, can these lines just be removed?
| 10:25:35 |
| WeetHet | This seems to originate from here: https://github.com/NixOS/nixpkgs/commit/788da6894fac5b20d183ce5afbab3bacd7ddeaca
And was there before we actually had NIX_SSL_CERT_FILE
| 10:35:15 |
| WeetHet | At least I think SSL_CERT_FILE should just not be tampered with | 10:35:52 |
| WeetHet | Because it's something not-nix related in all cases | 10:36:09 |
 toonn | Is the sandbox enabled by default? | 10:38:40 |
| WeetHet | For FODs no | 10:40:40 |
| WeetHet | For non-FODs also no | 10:40:48 |
| WeetHet | I think | 10:41:00 |
| WeetHet | But why does it matter what happens when sandbox is disabled. If it's disabled all guarantees are off anyways | 10:41:42 |
| toonn | Since it's the common case it shouldn't be broken more than is unavoidable, no? | 10:42:34 |
| WeetHet | Setting SSL_CERT_FILE to a non-existent file doesn't fix anything, there are 2 options:
- The build would randomly break with an error which is difficult to trace to
SSL_CERT_FILE being /no-cert-file.crt
- The program would see that the file doesn't exist and ignore the variable entirely and still continue to access whatever it would if it was unset
| 10:45:01 |
| WeetHet | Neither behaviour is very nice honestly | 10:45:14 |
| WeetHet | Setting it to /no-cert-file.crt does nothing in 99% of the cases and breaks the remaining 1% which is using native macOS keychain in FODs | 10:46:32 |
| WeetHet | If you really want to set it to something set it to NIX_SSL_CERT_FILE but this is also incorrect since now the program that expects that it would use native keychain now starts using the .crt file | 10:47:33 |
|  Trond joined the room. | 10:48:09 |
| WeetHet | This is still better than having a non-existent file since it wouldn't break immediately and for nixpkgs you can't rely on some certificates being installed locally | 10:48:28 |
| WeetHet | So maybe this is the correct way for nixpkgs | 10:48:45 |
| WeetHet | But the current behaviour is objectively incorrect | 10:49:00 |
| toonn | I don't see how using the native keychain is right during builds. There's no way to manage that from Nix so it'd mean builds could never be pure. | 10:53:10 |
|  7karni joined the room. | 10:55:52 |
| WeetHet | I'm still talking about FODs | 10:55:56 |
| WeetHet | They can use whatever certs they want as long as the output hash matches | 10:56:22 |
| WeetHet | The other option still is
# Prevent SSL libraries from using certificates in /etc/ssl, unless set explicitly.
# Leave it in impure shells for convenience.
if [[ -z "${NIX_SSL_CERT_FILE:-}" && "${IN_NIX_SHELL:-}" != "impure" ]]; then
export NIX_SSL_CERT_FILE=/no-cert-file.crt
fi
# Another variant left for compatibility.
if [[ -z "${SSL_CERT_FILE:-}" && "${IN_NIX_SHELL:-}" != "impure" ]]; then
export SSL_CERT_FILE=$NIX_SSL_CERT_FILE
fi
| 11:00:46 |
| WeetHet | Which is still better than the current one | 11:00:55 |
| toonn | For FODs I agree, if the hash matches there's no purity problem. But that shell excerpt has nothing to do with FODs, no? | 11:31:28 |
