nixos default channel: use http instead of https

[vcunat]

AFAIK https doesn't work in nixos-rebuild --upgrade. I just stumbled into it on a clean install, and I think that I heard before users complaining about errors like this.

Any comments?

[lucabrunox]

Never had a problem installing nixos with https cache as default cache.

On Sun, May 18, 2014 at 8:52 PM, Vladimír Čunát [email protected]:

AFAIK https doesn't work in nixos-rebuild --updgrade. I just stumbled into
it on a clean install, and I think that I heard before users complaining
about errors like this.

Any comments?

You can merge this Pull Request by running

git pull https://github.com/vcunat/nixpkgs p/channel

Or view, comment on, or merge it at:

#2688
Commit Summary

• nixos default channel: use http instead of https

File Changes

• M nixos/modules/misc/version.nixhttps://github.com/nixos default channel: use http instead of https #2688/files#diff-0(2)

Patch Links:

• https://github.com/NixOS/nixpkgs/pull/2688.patch
• https://github.com/NixOS/nixpkgs/pull/2688.diff

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/2688
.

www.debian.org - The Universal Operating System

[vcunat]

Today I was installing on a clean HW:

$ sudo nixos-rebuild build --upgrade
/run/current-system/sw/bin/nix-channel: unable to check `https://nixos.org/channels/nixos-14.04'

After changing https to http it worked without a problem.

[shlevy]

Yeah, I have to use sudo -i. Never realized it was an https issue

[vcunat]

:-D

[kirelagin]

Wouldn't it be way better to fix the real issue?

[vcunat]

I'm not sure what's the issue, but the https URIs in there are just 302 redirects to http URIs (of a particular channel version). Consequently, it IMO provides practically no security.

[kirelagin]

The issue is that curl needs a CA bundle to verify the server certificate and it takes it from env CURL_CA_BUNDLE which is unset when doing sudo. Running curl without --silent (as nix-channel does) is enough to see the error ;).

[kirelagin]

Adding

Defaults:root,%wheel env_keep+=CURL_CA_BUNDLE

to sudoers might suffice as a temporary solution, although its security is very questionable.

[cstrahan]

@kirelagin

Would using environment.systemVariables from your #2692 be a valid solution?

[kirelagin]

@cstrahan Given that #2692 was made specifically to fix this issue, the answer is yes =).

[cstrahan]

@kirelagin Ha! Late night hacking - totally missed the fact that you referenced this PR. Cool. 😊

[vcunat]

Using https is IMO still pointless (as it's just a redirect to http path), but at least it shouldn't cause problems after #2692.

[CMCDragonkai]

Why is the HTTPS URL redirecting to an HTTP url? If there's a proper cert for HTTPS, why not keep all the downloads available over HTTPS? Also shouldn't all downloads be over HTTPS anyway?

[vcunat]

IIRC, it was claimed that https isn't possible on the Amazon cloud hosting (at least not with our certificates). I don't have a clue what's the consensus about these things, considering reactions to this issue and contents of the manual.

Manual suggests using http, then shows an example with https, and system.defaultChannel has https default... CC @edolstra

[kirelagin]

I think the consensus is that all the data is signed anyway, so https doesn't add anything in terms of security. But the https url is recommended just in case something changes in the future.

[vcunat]

I don't think we're using the signing yet NixOS/nix#75

[kirelagin]

But all the files are hashed, right? So it's enough to sign manifests. But it seems they are neither signed NixOS/nix#18… =(

[vcunat]

Manifests aren't used nowadays, as commented on the issue. IIRC, there is support for signed binary caches, but not used by our Hydra.nixos.org (yet).

[CMCDragonkai]

I think this should be a priority to be fixed. Could result in security issues. Either we use full https, or everything must be signed.

[edolstra]

The redirect to http is kind of an unintended side effect. The reason for the redirect was to serve ISOs via CloudFront. But we don't really need that for the channel nixexprs.tar.bz2. I can probably make the redirect only do the ISOs.

[edolstra]

The redirect to http is now gone, so the channel's nixexprs.tar.xz is served over https.

[vcunat]

So we should unify defaults in source and manual to https, or not?

[ballo]

I just attempted a fresh install on OS X and got this error. Why is this ticket closed?

[vcunat]

• This PR is against release 14.04 which is long unsupported.
• You probably need to provide more specific info to get to the root of the issue.

[ballo]

OK, specifically I ran (as instructed):

curl https://nixos.org/nix/install | sh

aaaaand, that's it.

[kirelagin]

@ballo OK, given the information you provided, looks like something is not working.

Actually I also got this error when trying to do nix-channel --update last week. I just tried a couple more times and it started to work. I couldn’t figure out what was wrong, but I don‘t think this was related to this issue.

[vcunat]

I believe the script runs curl -L https://nixos.org/releases/nix/nix-1.10/nix-1.10-x86_64-darwin.tar.bz2 (on darwin), and that works for me ATM (on linux).

[ballo]

This is Yosemite, BTW

[cstrahan]

I just installed Nix on my new Mac and I'm also still getting this. This is on El Capitan.

[ballo]

Oh good, it isn't just Yosemite. Hopefully this can be fixed for both

[Treeant34]

Tried installing Nix twice on OS X 10.10.5 (VMWare Fusion 8 guest) using the shell command (curl https://nixos.org/nix/install | sh) and keep getting the same error (unable to check ‘https://nixos.org/channels/nixpkgs-unstable’).

NixOS/nix#728

I wanted to try this package manager on OS X, as I really see this as the package management model for the future, but I am stumped at the moment (being a Nix Newb). There isn't a pile of info out there for OS X installation regarding Nix. Is it possible to execute multiple commands in terminal to get Nix installed on Yosemite (since the script install doesn't want to work) and if so, what are they?

Help?

Thx

[chrislambda]

Same problem here, running OS X Yosemite 10.10.5. I just ran the command:

curl https://nixos.org/nix/install | sh

and got

/nix/store//nix-1.10/bin/nix-channel: unable to check ‘https://nixos.org/channels/nixpkgs-unstable’

[ivan-krukov]

Seeing the same issue on a fresh El Capitan installation.
After seeing the error the first time, I have changed the $url on line 30 to http, and the installation completed (apparently) successfully.

curl https://nixos.org/nix/install -O
sed -i '' 's/http/https/g' install
sh ./install