From 79bd4ad5794163b8a65acc86809a6603ee7c7ce7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <v@cunat.cz>
Date: Thu, 9 May 2019 08:42:07 +0200
Subject: [PATCH 1/3] stdenv, cacert: consider $NIX_SSL_CERT_FILE in hooks

Some SSL libs don't react to $SSL_CERT_FILE.
That actually makes sense to me, as we add this behavior
as nixpkgs-specific, so it seems "safer" to use $NIX_*.
---
 pkgs/data/misc/cacert/setup-hook.sh              | 2 ++
 pkgs/development/interpreters/gauche/default.nix | 2 +-
 pkgs/stdenv/generic/setup.sh                     | 7 +++++--
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/pkgs/data/misc/cacert/setup-hook.sh b/pkgs/data/misc/cacert/setup-hook.sh
index b704a6a919e0..e969596752f3 100644
--- a/pkgs/data/misc/cacert/setup-hook.sh
+++ b/pkgs/data/misc/cacert/setup-hook.sh
@@ -1,4 +1,6 @@
 cacertHook() {
+    export NIX_SSL_CERT_FILE=@out@/etc/ssl/certs/ca-bundle.crt
+    # left for compatibility
     export SSL_CERT_FILE=@out@/etc/ssl/certs/ca-bundle.crt
 }
 
diff --git a/pkgs/development/interpreters/gauche/default.nix b/pkgs/development/interpreters/gauche/default.nix
index 5481c4e7d05a..bb3294e2097b 100644
--- a/pkgs/development/interpreters/gauche/default.nix
+++ b/pkgs/development/interpreters/gauche/default.nix
@@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
     "--with-iconv=${libiconv}"
     "--with-dbm=gdbm"
     "--with-zlib=${zlib}"
-    "--with-ca-bundle=$SSL_CERT_FILE"
+    "--with-ca-bundle=$NIX_SSL_CERT_FILE"
     # TODO: Enable slib
     #       Current slib in nixpkgs is specialized to Guile
     # "--with-slib=${slibGuile}/lib/slib"
diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh
index 6f1a654a38ac..9cc5cd89f3b7 100644
--- a/pkgs/stdenv/generic/setup.sh
+++ b/pkgs/stdenv/generic/setup.sh
@@ -646,9 +646,12 @@ fi
 export NIX_BUILD_CORES
 
 
-# Prevent OpenSSL-based applications from using certificates in
-# /etc/ssl.
+# Prevent SSL libraries from using certificates in /etc/ssl, unless set explicitly.
 # Leave it in shells for convenience.
+if [ -z "${NIX_SSL_CERT_FILE:-}" ] && [ -z "${IN_NIX_SHELL:-}" ]; then
+  export NIX_SSL_CERT_FILE=/no-cert-file.crt
+fi
+# Another variant left for compatibility.
 if [ -z "${SSL_CERT_FILE:-}" ] && [ -z "${IN_NIX_SHELL:-}" ]; then
   export SSL_CERT_FILE=/no-cert-file.crt
 fi

From b27cc3767115bb8d93cc30b41be04621e4efb85f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <v@cunat.cz>
Date: Thu, 9 May 2019 09:49:42 +0200
Subject: [PATCH 2/3] stdenv: also override cert files in pure nix-shell

That's very much consistent with the spirit of nix-shell --pure

BTW, nix 1.x shells will be always treated as pure;
in that version detection isn't possible.
https://github.com/NixOS/nix/commit/1bffd83e1a9c
---
 pkgs/stdenv/generic/setup.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh
index 9cc5cd89f3b7..dcccdaa50ae5 100644
--- a/pkgs/stdenv/generic/setup.sh
+++ b/pkgs/stdenv/generic/setup.sh
@@ -647,12 +647,12 @@ export NIX_BUILD_CORES
 
 
 # Prevent SSL libraries from using certificates in /etc/ssl, unless set explicitly.
-# Leave it in shells for convenience.
-if [ -z "${NIX_SSL_CERT_FILE:-}" ] && [ -z "${IN_NIX_SHELL:-}" ]; then
+# Leave it in impure shells for convenience.
+if [ -z "${NIX_SSL_CERT_FILE:-}" ] && [ "${IN_NIX_SHELL:-}" != "impure" ]; then
   export NIX_SSL_CERT_FILE=/no-cert-file.crt
 fi
 # Another variant left for compatibility.
-if [ -z "${SSL_CERT_FILE:-}" ] && [ -z "${IN_NIX_SHELL:-}" ]; then
+if [ -z "${SSL_CERT_FILE:-}" ] && [ "${IN_NIX_SHELL:-}" != "impure" ]; then
   export SSL_CERT_FILE=/no-cert-file.crt
 fi
 

From 99760ed95bc2e31cadeda9d0911a8d38d6077df8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <v@cunat.cz>
Date: Thu, 9 May 2019 09:58:35 +0200
Subject: [PATCH 3/3] pypi2nix: fix $IN_NIX_SHELL test

In nix 2.0 this changed: https://github.com/NixOS/nix/commit/1bffd83
I only kept the original intention and did no kind of verification.
---
 pkgs/development/tools/pypi2nix/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/development/tools/pypi2nix/default.nix b/pkgs/development/tools/pypi2nix/default.nix
index 70c292365abc..e3d458fc6483 100644
--- a/pkgs/development/tools/pypi2nix/default.nix
+++ b/pkgs/development/tools/pypi2nix/default.nix
@@ -43,7 +43,7 @@ in stdenv.mkDerivation rec {
     mv click-*/click                    $out/pkgs/click
     mv requests-*/requests              $out/pkgs/
 
-    if [ "$IN_NIX_SHELL" != "1" ]; then
+    if [ -z "$IN_NIX_SHELL" ]; then
       if [ -e git-export ]; then
         mv git-export/src/pypi2nix      $out/pkgs/pypi2nix
       else