[security] builtin:fetchurl: Enable TLS verification

This is better for privacy and to avoid leaking netrc credentials in a MITM attack, but also the assumption that we check the hash no longer holds in some cases (in particular for impure derivations). Partially reverts https://github.com/NixOS/nix/commit/5db358d4d78aea7204a8f22c5bf2a309267ee038. (cherry picked from commit c04bc17a5a0fdcb725a11ef6541f94730112e7b6) (cherry picked from commit f2f47fa725fc87bfb536de171a2ea81f2789c9fb) (cherry picked from commit 7b39cd631e0d3c3d238015c6f450c59bbc9cbc5b) Upstream-PR: https://github.com/NixOS/nix/pull/11585 Change-Id: Ia973420f6098113da05a594d48394ce1fe41fbb9
author: Eelco Dolstra <edolstra@gmail.com> 2024-09-23 15:09:44 +0200
committer: Jade Lovelace <lix@jade.fyi> 2024-09-25 18:40:58 -0700
commit: c1631b0a39d34267345b41214f1f5e8a77d98cd2 (patch)
tree: 7345d79929d07ceeb56c857f5388a769f0bf228c /src
parent: 8a6b84df147f5f38bae710fac9ec085d9d4e8ded (diff)
1 files changed, 0 insertions, 3 deletions
diff --git a/src/libstore/builtins/fetchurl.cc b/src/libstore/builtins/fetchurl.cc
index 062ecdc14..3fb769fe6 100644
--- a/src/libstore/builtins/fetchurl.cc
+++ b/src/libstore/builtins/fetchurl.cc
@@ -33,10 +33,7 @@ void builtinFetchurl(const BasicDerivation & drv, const std::string & netrcData)
 
     auto fetch = [&](const std::string & url) {
 
-        /* No need to do TLS verification, because we check the hash of
-           the result anyway. */
         FileTransferRequest request(url);
-        request.verifyTLS = false;
 
         auto raw = fileTransfer->download(std::move(request));
         auto decompressor = makeDecompressionSource(
author	Eelco Dolstra <edolstra@gmail.com>	2024-09-23 15:09:44 +0200
committer	Jade Lovelace <lix@jade.fyi>	2024-09-25 18:40:58 -0700
commit	c1631b0a39d34267345b41214f1f5e8a77d98cd2 (patch)
tree	7345d79929d07ceeb56c857f5388a769f0bf228c /src
parent	8a6b84df147f5f38bae710fac9ec085d9d4e8ded (diff)