Guillaume Maudoux

This has suddenly become very relevant to us, as the company policy introduces deep packet inspection based on man-in-the-middle interception of ssl packets. Without trusting the company certificate, nix cannot...

The straightforward solution is to provide (a copy) of system certificates in fixed-output derivation sandboxes and set NIX_SSL_CERT_PATH accordingly. WDYT ? We already do it for network proxys anyway.

@zoranbosnjak It depends on the kind of fetcher you are using, and the way you are using them. * fetchurl with a fixed hash will not check ssl certs *...

Started a fix in https://github.com/NixOS/nix/pull/7312. It will require the fixed-output builders to adapt, as they apparently force the certificates to the vanilla ones in ${cacert}. (See fetchgit for example)

I would love feedback on this one. And maybe a test that uses nixbuild.net to ensure that it is at least usable. As for the things that do not work,...

@AleksanderGondek What about a configurable nix toolchain ? Or something simmilar adapted to external repositories ? Ultimately this nix build sequence of actions should move to a proper wrapper script...

But we cannot use toolchains in repository_rules, right ? Oh dear, mind is stuck on Friday.

Well, the three inner frame where showed, then someone reversed the order of the frames without changing the logic around selecting the first three, thus displaying the outer most. I...

See more context about order reversal in https://github.com/NixOS/nix/pull/7334. Also, some people seem to think that the outermost frames are more interesting. But I am not sure we are speaking about...

@edolstra Yes, that is right indeed. While WAL does help a lot, transaction do appear to have some overhead: ``` Benchmark 1: ./baseline/bin/nix --extra-experimental-features 'nix-command flakes' search nixpkgs hello Time...