builtin:fetchurl: Enable TLS verification

This is better for privacy and to avoid leaking netrc credentials in a
MITM attack, but also the assumption that we check the hash no longer
holds in some cases (in particular for impure derivations).

Partially reverts 5db358d4d7.
This commit is contained in:
Eelco Dolstra 2024-09-23 15:09:44 +02:00
parent 68ba6ff470
commit c04bc17a5a

View file

@ -38,10 +38,7 @@ void builtinFetchurl(
auto source = sinkToSource([&](Sink & sink) {
/* No need to do TLS verification, because we check the hash of
the result anyway. */
FileTransferRequest request(url);
request.verifyTLS = false;
request.decompress = false;
auto decompressor = makeDecompressionSink(