| 26 Jul 2025 |
 raitobezarius (DECT: 7248) | The latter doesn't really care about performance I would imagine | 01:37:41 |
 emily | it is set for every nix-darwin user | 01:37:46 |
| raitobezarius (DECT: 7248) | In reply to @emilazy:matrix.org
it is set for every nix-darwin user oh god | 01:37:53 |
| emily | this is the correct thing to do | 01:37:58 |
| emily | Nixpkgs using its own cacert is bad | 01:38:04 |
| emily | we should move to a world where every user has their certs injected | 01:38:12 |
| raitobezarius (DECT: 7248) | I mean, I see both sides of the arguments | 01:38:27 |
| emily | reproducibility of old Nixpkgs can suffer from hosts moving to CAs that didn't exist at the time | 01:38:29 |
| raitobezarius (DECT: 7248) | We have cacert maintainer in this room : > | 01:38:32 |
| emily | it also leads to bootstrapping issues | 01:38:47 |
| raitobezarius (DECT: 7248) | In reply to @emilazy:matrix.org
reproducibility of old Nixpkgs can suffer from hosts moving to CAs that didn't exist at the time this goes both ways though | 01:39:03 |
| emily | e.g., tgerbet gave up on making fetchurl not bypass TLS | 01:39:06 |
| emily | because it leads to bootstrapping issues with cacert | 01:39:12 |
| raitobezarius (DECT: 7248) | reproducibility of old Nixpkgs can suffer from hosts moving to CAs that did existed at the time | 01:39:17 |
| emily | yes, but that's the unavoidable failure mode of "a site going down" | 01:39:33 |
| emily | breaking on sites that didn't go down is less justifiable | 01:39:45 |
| emily | anyway | 01:39:54 |
| raitobezarius (DECT: 7248) | convinced by your argument | 01:39:54 |
| emily | this solution may be fine, I don't have a good idea of the perf impact | 01:40:07 |
| raitobezarius (DECT: 7248) | well, this is HEAD | 01:40:12 |
| emily | I figured just adding the file as content-addressed to the store would be easy | 01:40:16 |
| raitobezarius (DECT: 7248) | we have time to cook it | 01:40:17 |
| emily | in which case I think it's better | 01:40:21 |
| emily | but if it is not easy then this seems sensible enough | 01:40:30 |
| raitobezarius (DECT: 7248) | what is disturbing by adding file as CA is that I don't want to start adding references to FODs | 01:40:37 |
| raitobezarius (DECT: 7248) | and if I hide them, it's weird to have a nix store path that is not in the reference | 01:40:56 |
| emily | the warning is definitely not a great idea | 01:41:02 |
| raitobezarius (DECT: 7248) | In reply to @emilazy:matrix.org
the warning is definitely not a great idea why? | 01:41:10 |
| emily | since IIRC settings.caFile gets set based on the daemon's NIX_SSL_CERT_FILE | 01:41:13 |
| raitobezarius (DECT: 7248) | correct | 01:41:19 |
