Skip to content

curl-impersonate-ff: fix build with cmake 4#455108

Closed
samestep wants to merge 1 commit intoNixOS:masterfrom
samestep:curl-impersonate-ff-cmake4
Closed

curl-impersonate-ff: fix build with cmake 4#455108
samestep wants to merge 1 commit intoNixOS:masterfrom
samestep:curl-impersonate-ff-cmake4

Conversation

@samestep
Copy link
Contributor

@samestep samestep commented Oct 24, 2025

Fixes #450649.

cc @deliciouslytyped

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. labels Oct 24, 2025
@nix-owners nix-owners bot requested a review from GGG-KILLER October 24, 2025 02:29
@iedame
Copy link
Contributor

iedame commented Oct 27, 2025

nixpkgs-review result

Generated using nixpkgs-review-gha

Command: nixpkgs-review pr 455108
Commit: 0120f885c207908633343e68c6b20ec15da002d2 (subsequent changes)
Merge: a102e8df6a59c14bf64b3244591dbddb5dfd91bd

Logs: https://github.com/iedame/nixpkgs-review-gha/actions/runs/18825498268


x86_64-linux

✅ 3 packages built:
  • curl-impersonate
  • curl-impersonate-ff
  • curl-impersonate-ff.dev

aarch64-linux

✅ 3 packages built:
  • curl-impersonate
  • curl-impersonate-ff
  • curl-impersonate-ff.dev

x86_64-darwin (sandbox = true)

✅ 3 packages built:
  • curl-impersonate
  • curl-impersonate-ff
  • curl-impersonate-ff.dev

aarch64-darwin (sandbox = true)

✅ 3 packages built:
  • curl-impersonate
  • curl-impersonate-ff
  • curl-impersonate-ff.dev

@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Oct 27, 2025
Comment on lines +7 to +9
$(brotli_static_libs): brotli-$(BROTLI_VERSION).tar.gz
tar xf brotli-$(BROTLI_VERSION).tar.gz
+ patch -d brotli-$(BROTLI_VERSION) -p1 < $(BROTLI_CMAKE_PATCH)
Copy link
Contributor

@LordGrimmauld LordGrimmauld Nov 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Uh oh - curl-impersonate-ff uses ancient brotli which is at least vulnerable to CVE-2020-8927.
Considering curl-impersonate is working with internet traffic, this is bad. We should make an attempt to unvendor brotli instead if at all possible.

(github lists a bunch of .NET stuff for that CVE, but https://www.cve.org/CVERecord?id=CVE-2020-8927 says brotli prior to 1.0.8 is affected)

Copy link
Contributor Author

@samestep samestep Nov 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@LordGrimmauld that seems reasonable to me, but it's orthogonal to this PR, right? That was already an issue long before the CMake 4 change.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

well, kind of. Unvendoring brotli and using our nixpkgs brotli would also fix the cmake issues.
And as it stands, no unsuspecting user will currently install curl-impersonate-ff, because it does not build. If we merge the bodge fix here, then we'd be endandering users again.

So yes, technically the cmake fix can happen before the unvendoring, but i am not a super big fan of that approach...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes sense.

I don't have a preference about whether this PR is merged; I don't use this package (just opened this to help out with the CMake migration) and unfortunately I currently have neither the motivation nor the bandwidth to work on the better fix.

Copy link
Contributor

@LordGrimmauld LordGrimmauld Nov 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After bringing this up in the security discussions matrix room, people also noticed curl-impersonate-ff uses old versions of boringssl (not ancient, but old) and does not reliably stay on top of curl updates and more. So yeah, security of this seems like a mess, i won't merge this. I appreciate your attempt at fixing the build, but looking at the security of this, a drop is the more appropriate direction to take this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is fine actually, BROTLI_VERSION is 1.0.9 which is the release that fixed CVE-2020-8927. Not arguing with the broader point of -ff being out of date though.

@samestep samestep mentioned this pull request Nov 2, 2025
13 tasks
@samestep
Copy link
Contributor Author

samestep commented Nov 2, 2025

@LordGrimmauld I've opened #457684 which drops this package instead of patching it.

@samestep samestep closed this Nov 2, 2025
@samestep samestep deleted the curl-impersonate-ff-cmake4 branch November 2, 2025 01:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Build failure: curl-impersonate-ff

5 participants