You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The reason will be displayed to describe this comment to others. Learn more.
I'd be wary of adding frameworks to core packages until we implement #24693. I think this will probably make gnutls crash, but I haven't tested it yet.
The reason will be displayed to describe this comment to others. Learn more.
No, I wouldn't want to separate the version, but there might be a flag to turn off the Security.framework requirement (for now at least). I'll try to take a look later. And yeah, this does add a segfault. I guess we could also fix the segfault 😄
The reason will be displayed to describe this comment to others. Learn more.
I see no option for this and the CF includes are only guarded by #ifdef __APPLE__ (similarly LDFLAGS), so we would have to touch the code a bit. The motivation:
libgnutls: Added support for MacOSX key chain for obtaining trust store's root CA certificates.
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I suppose we should just make it work properly. I'm just afraid of a
package like gnutls somehow making its way into the stdenv bootstrap at
some point, which I'd like to keep framework-free as much as possible
On Tue, Apr 11, 2017 at 1:46 PM, Vladimír Čunát ***@***.***> wrote:
I see no option for this and the CF includes are only guarded by #ifdef
__APPLE__ (similarly LDFLAGS), so we would have to touch the code a bit.
The motivation:
libgnutls: Added support for MacOSX key chain for obtaining trust store's
root CA certificates.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<d6454e6#commitcomment-21720736>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAAKP5wCi2dBTV0PZOqdWXeOV5677ntQks5ru7yQgaJpZM4M5lGJ>
.
The reason will be displayed to describe this comment to others. Learn more.
Well, curl/fetchurl can optionally depend on it, instead of our default openssl. Still, I think bootstrapping should always be able to avoid gnutls – even if it meant using lighter than default configurations for the bootstrap-intermediate packages.
d6454e6There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd be wary of adding frameworks to core packages until we implement #24693. I think this will probably make
gnutlscrash, but I haven't tested it yet.d6454e6There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh. It seemed required to fix the build. For now we could leave darwin on 3.5.10, but that version will probably become vulnerable at some point...
d6454e6There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, I wouldn't want to separate the version, but there might be a flag to turn off the Security.framework requirement (for now at least). I'll try to take a look later. And yeah, this does add a segfault. I guess we could also fix the segfault 😄
d6454e6There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see no option for this and the CF includes are only guarded by
#ifdef __APPLE__(similarlyLDFLAGS), so we would have to touch the code a bit. The motivation:d6454e6There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
d6454e6There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well,
curl/fetchurlcan optionally depend on it, instead of our defaultopenssl. Still, I think bootstrapping should always be able to avoidgnutls– even if it meant using lighter than default configurations for the bootstrap-intermediate packages.d6454e6There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@copumpkin: what (temporary) approach do you suggest now on staging so we don't block it?
d6454e6There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I reverted Darwin to gnutls-3.5.10 so that Hydra can keep working 42fd720, but we can easily choose another solution anytime...
d6454e6There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
d6454e6There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
gnutls now has a security update, but it's only DOS in server code (null pointer dereference), so I guess Darwin can still go without updating it.
d6454e6There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let me open a tagged issue, at least: #58481 (I'm not motivated to work on a solution.)