From c1631b0a39d34267345b41214f1f5e8a77d98cd2 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Mon, 23 Sep 2024 15:09:44 +0200
Subject: [security] builtin:fetchurl: Enable TLS verification

This is better for privacy and to avoid leaking netrc credentials in a
MITM attack, but also the assumption that we check the hash no longer
holds in some cases (in particular for impure derivations).

Partially reverts https://github.com/NixOS/nix/commit/5db358d4d78aea7204a8f22c5bf2a309267ee038.

(cherry picked from commit c04bc17a5a0fdcb725a11ef6541f94730112e7b6)
(cherry picked from commit f2f47fa725fc87bfb536de171a2ea81f2789c9fb)
(cherry picked from commit 7b39cd631e0d3c3d238015c6f450c59bbc9cbc5b)

Upstream-PR: https://github.com/NixOS/nix/pull/11585

Change-Id: Ia973420f6098113da05a594d48394ce1fe41fbb9
---
 src/libstore/builtins/fetchurl.cc | 3 ---
 1 file changed, 3 deletions(-)

(limited to 'src/libstore/builtins/fetchurl.cc')

diff --git a/src/libstore/builtins/fetchurl.cc b/src/libstore/builtins/fetchurl.cc
index 062ecdc14..3fb769fe6 100644
--- a/src/libstore/builtins/fetchurl.cc
+++ b/src/libstore/builtins/fetchurl.cc
@@ -33,10 +33,7 @@ void builtinFetchurl(const BasicDerivation & drv, const std::string & netrcData)
 
     auto fetch = [&](const std::string & url) {
 
-        /* No need to do TLS verification, because we check the hash of
-           the result anyway. */
         FileTransferRequest request(url);
-        request.verifyTLS = false;
 
         auto raw = fileTransfer->download(std::move(request));
         auto decompressor = makeDecompressionSource(
-- 
cgit v1.2.3