nix-shell should preserve SSL_CERT_FILE

[cstrahan]

It appears that the stdenv in Nixpkgs has changed such that $SSL_CERT_FILE is set to /no-cert-file.crt. nix-shell ought to preserve the environment variable so that programs that need SSL (e.g. git) don't break. If the environment variable didn't exist prior to invoking nix-shell, the environment variable should be unset before executing the given command.

[fkz]

see also NixOS/nixpkgs#13744

[peti]

Is that not accomplished by NixOS/nixpkgs@39609a0?

[vcunat]

It doesn't preserve it being unset :-) But anyway, that's not a problem in nix-shell itself (i.e. its repo). We could modify the stdenv instead to e.g. be responsive to $IN_NIX_SHELL...

[cstrahan]

@peti I'm on NixOS/nixpkgs@0bf8a1a (which includes that commit), and it still happens:

$ echo $SSL_CERT_FILE


$ nix-shell -p stdenv --run 'bash -c "echo $SSL_CERT_FILE"'
/no-cert-file.crt

_Edit:_ oh, of course - I didn't see the -z in that condition. I don't set $SSL_CERT_FILE, so I see this behavior. For the time being, I might just set $SSL_CERT_FILE in my configuration.nix (right now I've just unset $SSL_CERT_FILE in each shell.nix.

[fkz]

@cstrahan Yes, this is known. This is a duplicate of NixOS/nixpkgs#13744, see the discussion there

[peti]

OK, I think this bug report is valid and that it should be fixed. IMHO, NixOS/nixpkgs#13744 is the right place to pursue this issue, though, since the behavior in question is caused by the stdenv generic builder and not by Nix itself.

[cstrahan]

IMHO, NixOS/nixpkgs#13744 is the right place to pursue this issue, though, since the behavior in question is caused by the stdenv generic builder and not by Nix itself.

That sounds fair. I thought we might need to just filter out a set of bad environment variables within nix-shell, but it does seem that the right thing to do is tweak the stdenv to behave correctly under nix-shell.