| 26 Jul 2025 |
 emily | I figured just adding the file as content-addressed to the store would be easy | 01:40:16 |
 raitobezarius (DECT: 7248) | we have time to cook it | 01:40:17 |
| emily | in which case I think it's better | 01:40:21 |
| emily | but if it is not easy then this seems sensible enough | 01:40:30 |
| raitobezarius (DECT: 7248) | what is disturbing by adding file as CA is that I don't want to start adding references to FODs | 01:40:37 |
| raitobezarius (DECT: 7248) | and if I hide them, it's weird to have a nix store path that is not in the reference | 01:40:56 |
| emily | the warning is definitely not a great idea | 01:41:02 |
| raitobezarius (DECT: 7248) | In reply to @emilazy:matrix.org
the warning is definitely not a great idea why? | 01:41:10 |
| emily | since IIRC settings.caFile gets set based on the daemon's NIX_SSL_CERT_FILE | 01:41:13 |
| raitobezarius (DECT: 7248) | correct | 01:41:19 |
| emily | I believe it is just going to warn all the time for everyone? | 01:41:28 |
| raitobezarius (DECT: 7248) | caFile.setDefault($NIX_SSL_CERT_FILE) | 01:41:30 |
| raitobezarius (DECT: 7248) | well, now knowing that nix-darwin ALWAYS sets caFile | 01:42:04 |
| raitobezarius (DECT: 7248) | this doesn't make sense anymore | 01:42:18 |
| raitobezarius (DECT: 7248) | but the current situation is one hell of a configuration confusion | 01:42:34 |
| emily | ok actually I forget if Nixpkgs sets it as impure by default | 01:42:40 |
| emily | so maybe it would be fine | 01:42:42 |
| raitobezarius (DECT: 7248) | well it's in the list of fetcher impure env vars | 01:42:50 |
| raitobezarius (DECT: 7248) | fetcher | 01:42:53 |
| raitobezarius (DECT: 7248) | fetcher proxy impure env vars actually * | 01:43:00 |
| emily | right so that won't work great I think | 01:43:19 |
| emily | also I'm not sure we want to set the non-NIX prefixed version but I'm not sure. pretty tired myself | 01:43:28 |
| raitobezarius (DECT: 7248) | fetchhg sets it, k3s set it somewhere, fetchpypilegacy sets it, fetchsvn sets it, build bazel sets it, fetchurl does | 01:43:37 |
| emily | I would ask Toma what he thinks of this since he has been bashing his head against the whole thing for a while now | 01:43:38 |
| emily | one issue | 01:43:58 |
| raitobezarius (DECT: 7248) | what I read in the issue is that I felt like we came to a similar conclusion | 01:44:00 |
| emily | is settings.caFile a trusted setting | 01:44:01 |
| raitobezarius (DECT: 7248) | which is that NIX_SSL_CERT_FILE should go out of the env list | 01:44:08 |
| emily | I am worried about confused deputy | 01:44:14 |
| raitobezarius (DECT: 7248) | cannot remember | 01:45:12 |
