Skip to content

[Backport staging-next-25.11] cacert 3.117 -> 3.121#493496

Merged
mdaniels5757 merged 3 commits intoNixOS:staging-next-25.11from
mweinelt:backport-492429-to-staging-25.11
Feb 24, 2026
Merged

[Backport staging-next-25.11] cacert 3.117 -> 3.121#493496
mdaniels5757 merged 3 commits intoNixOS:staging-next-25.11from
mweinelt:backport-492429-to-staging-25.11

Conversation

@mweinelt
Copy link
Member

@mweinelt mweinelt commented Feb 24, 2026
edited
Loading

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

r-ryantm and others added 3 commits February 24, 2026 01:09
@r-ryantm @mweinelt
cacert: 3.117 -> 3.119.1
e6ca949 
(cherry picked from commit 30ddbca)
@infinisil @mweinelt
cacert: Improve sourcing
0c70e45 
Switch to fetching only certdata.txt directly from the upstream
repository (and a mirror), because:

- While it's possible to deduct that github/nss-dev is an NSS-project-owned
  mirror repository, it's not trivial:
  - Go to the homepage: https://firefox-source-docs.mozilla.org/security/nss/index.html
  - Navigate to the source, e.g.
    https://phabricator.services.mozilla.com/source/nss/
  - Check the readme.md, which mentions github.com/nss-dev/nss
- GitHub is a mirror of the Mercurial repository, and while I was able
  to confirm that the latest version does match, it leaves more room for
  a malicious actor:
  - It's unknown who owns the nss-dev GitHub organisation, there's no
    public members and no contact information
  - The mirroring automation from Mercurial to GitHub is not documented
  - Git hashes by necessity don't match Mercurial hashes, so it's not
    easy to verify that they match
- Previously the build and update script were more complicated and slow
  by depending on the entire source, when we really only need a single file.

Furthermore, update the meta.homepage to point to the actual page that
mentions the root certificates, because the old one pointed to a curl
page which we don't even use anymore (if we ever even did, Git history
is inconclusive)

The cacert build was verified to be unchanged

(cherry picked from commit 0e7826f)
@mweinelt
cacert: 3.119.1 -> 3.121
a21ff0c 
https://github.com/nss-dev/nss/blob/master/doc/rst/releases/nss_3_121.rst
(cherry picked from commit b972c9e)
@nixpkgs-ci nixpkgs-ci bot added the 2.status: merge-bot eligible This PR can be merged by commenting "@NixOS/nixpkgs-merge-bot merge". label Feb 24, 2026
@nixpkgs-ci nixpkgs-ci bot requested review from ajs124, fpletz and lukegb February 24, 2026 00:49
@nixpkgs-ci nixpkgs-ci bot added 8.has: package (update) This PR updates a package to a newer version 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 4.workflow: backport This targets a stable branch labels Feb 24, 2026
@nixpkgs-ci nixpkgs-ci bot added 12.approvals: 1 This PR was reviewed and approved by one person. 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in any of the changed packages. labels Feb 24, 2026
@mweinelt mweinelt changed the base branch from staging-25.11 to staging-next-25.11 February 24, 2026 12:30
@nixpkgs-ci nixpkgs-ci bot closed this Feb 24, 2026
@nixpkgs-ci nixpkgs-ci bot reopened this Feb 24, 2026
@mweinelt mweinelt added this pull request to the merge queue Feb 24, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Feb 24, 2026
@mdaniels5757 mdaniels5757 changed the title [Backport staging-25.11] cacert 3.117 -> 3.121 [Backport staging-next-25.11] cacert 3.117 -> 3.121 Feb 24, 2026
@mdaniels5757 mdaniels5757 added this pull request to the merge queue Feb 24, 2026
Merged via the queue into NixOS:staging-next-25.11 with commit ec01da1 Feb 24, 2026
63 of 67 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lukegb lukegb lukegb approved these changes

@ajs124 ajs124 Awaiting requested review from ajs124

@fpletz fpletz Awaiting requested review from fpletz

Assignees

No one assigned

Labels

2.status: merge-bot eligible This PR can be merged by commenting "@NixOS/nixpkgs-merge-bot merge". 4.workflow: backport This targets a stable branch 8.has: package (update) This PR updates a package to a newer version 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 12.approvals: 1 This PR was reviewed and approved by one person. 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in any of the changed packages.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mweinelt @lukegb @mdaniels5757 @r-ryantm @infinisil