tjh.dev
nixpkgs mirror (for testing)
github.com/NixOS/nixpkgs
nix
1#!/usr/bin/env nix-shell
2#!nix-shell -i bash -p nix common-updater-scripts jq
3
4# Build both the cacert package and an overriden version where we use the source attribute of NSS.
5# Cacert and NSS are both from the same upstream sources. They are decoupled as
6# the cacert output only cares about a few infrequently changing files in the
7# sources while the NSS source code changes frequently.
8#
9# By having cacert on a older source revision that produces the same
10# certificate output as a newer version we can avoid large amounts of
11# unnecessary rebuilds.
12#
13# As of this writing there are a few magnitudes more packages depending on
14# cacert than on nss.
15#
16# If the current nixpkgs revision contains the attribute `nss_latest` that will
17# be used instead of `nss`. This is done to help the stable branch maintenance
18# where (usually) after branch-off during the first Firefox upgrade that
19# requries a new NSS version that attribute is introduced.
20# By having this change in the unstable branch we can safely carry it from
21# release to release without requiring more backport churn on those doing the
22# stable maintenance.
23
24
25set -ex
26
27BASEDIR="$(dirname "$0")/../../../.."
28
29
30CURRENT_PATH=$(nix-build --no-out-link -A cacert.out)
31PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; let nss_pkg = pkgs.nss_latest or pkgs.nss; in (cacert.override { nssOverride = nss_pkg; }).out")
32
33# Check the hash of the etc subfolder
34# We can't check the entire output as that contains the nix-support folder
35# which contains the output path itself.
36CURRENT_HASH=$(nix-hash "$CURRENT_PATH/etc")
37PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc")
38
39if [[ "$CURRENT_HASH" != "$PATCHED_HASH" ]]; then
40 NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss.version" | jq -r .)
41 update-source-version --version-key=srcVersion cacert.src "$NSS_VERSION"
42fi