Skip to content

curl-impersonate-ff: drop#457684

Merged
mdaniels5757 merged 1 commit intoNixOS:masterfrom
samestep:curl-impersonate-ff-drop
Dec 28, 2025
Merged

curl-impersonate-ff: drop#457684
mdaniels5757 merged 1 commit intoNixOS:masterfrom
samestep:curl-impersonate-ff-drop

Conversation

@samestep
Copy link
Contributor

@samestep samestep commented Nov 2, 2025
edited
Loading

Closes #450649. See #455108 (comment).

cc @deliciouslytyped

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

@samestep samestep mentioned this pull request Nov 2, 2025
Closed
13 tasks
@samestep samestep force-pushed the curl-impersonate-ff-drop branch from 114950e to 800aa1d Compare November 2, 2025 01:38
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. labels Nov 2, 2025
@nix-owners nix-owners bot requested a review from GGG-KILLER November 2, 2025 01:44
emilazy
emilazy reviewed Nov 2, 2025
View reviewed changes
@emilazy emilazy requested a review from pyrox0 November 2, 2025 04:14
@pyrox0
Copy link
Member

pyrox0 commented Nov 2, 2025

Agreeing with the comments emily made, though also since this is a breaking change it needs to wait until after 25.11 branch-off. Changes LGTM once suggestions are implemented though.

@pyrox0 pyrox0 added the 2.status: wait for branch‐off Waiting for the next Nixpkgs branch‐off label Nov 2, 2025
@emilazy
Copy link
Member

emilazy commented Nov 2, 2025

I think that since curl-impersonate-ff suffers from many serious vulnerabilities, is unmaintained upstream for years, and our packaged curl-impersonate can replace its functionality, we should be fine to get a freeze exemption for this. curl-impersonate-ff is a leaf package so the potential blast radius is very low. cc @leona-ya @jopejoe1

@emilazy
Copy link
Member

emilazy commented Nov 2, 2025

Also given that the build has been broken since CMake 4 anyway there is really no point carrying it into 25.11.

leona-ya
leona-ya reviewed Nov 2, 2025
View reviewed changes
Copy link
Member

@leona-ya leona-ya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a throw alias for this package. Otherwise (and also as discussed in NixOS Security on Matrix) I'm happy to drop this package for 25.11

@leona-ya leona-ya added 1.severity: security Issues which raise a security issue, or PRs that fix one and removed 2.status: wait for branch‐off Waiting for the next Nixpkgs branch‐off labels Nov 2, 2025
@samestep samestep force-pushed the curl-impersonate-ff-drop branch 2 times, most recently from a05c30e to 03535a0 Compare November 2, 2025 23:27
@samestep
Copy link
Contributor Author

samestep commented Nov 2, 2025

Could you add a throw alias for this package. Otherwise (and also as discussed in NixOS Security on Matrix) I'm happy to drop this package for 25.11

@leona-ya done!

@GGG-KILLER
Copy link
Contributor

GGG-KILLER commented Nov 3, 2025

It seems pkgs/development/python-modules/curl-cffi/default.nix needs to be updated as it points to curl-impersonate-chrome.

@samestep samestep force-pushed the curl-impersonate-ff-drop branch from 03535a0 to 27f6954 Compare November 3, 2025 00:38
@samestep
Copy link
Contributor Author

samestep commented Nov 3, 2025

@GGG-KILLER done, thanks! Apologies for the oversight.

@nix-owners nix-owners bot requested a review from chuangzhu November 3, 2025 00:43
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 101-500 This PR causes between 101 and 500 packages to rebuild on Linux. 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. and removed 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. labels Nov 3, 2025
@nixpkgs-ci nixpkgs-ci bot added the 6.topic: python Python is a high-level, general-purpose programming language. label Nov 3, 2025
MultisampledNight
MultisampledNight approved these changes Nov 3, 2025
View reviewed changes
Copy link
Contributor

@MultisampledNight MultisampledNight left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! ^^

@GGG-KILLER
Copy link
Contributor

GGG-KILLER commented Nov 3, 2025
edited
Loading

Currently running nixosTests.curl-impersonate to ensure nothing broke (it shouldn't have, but just for my paranoia's sake), I'd appreciate if merging waited for it

@GGG-KILLER
Copy link
Contributor

GGG-KILLER commented Nov 3, 2025

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 457684 --package nixosTests.curl-impersonate
Commit: 27f6954f514f6de4127943e7ae84355b89b5b91a

x86_64-linux

❌ 1 package failed to build:
  • nixosTests.curl-impersonate
Error logs: `x86_64-linux`
nixosTests.curl-impersonate 
curl # + cd tests
curl # + pytest . --install-dir ../usr --capture-interface eth1 --exitfirst -k 'not test_http2_headers'
curl # Traceback (most recent call last):
curl #   File "/nix/store/mkwsb9vjm5h3r1i51y81yq28acrd5gvx-python3.13-pytest-8.4.2/bin/pytest", line 5, in <module>
curl #     from pytest import console_main
curl # ModuleNotFoundError: No module named 'pytest'
curl: output: 
!!! Test "Run curl-impersonate tests" failed with error: "command `/nix/store/lbnnmbqapi9rlxanmq1ib9gzm9lnzpfr-curl-impersonate-test` failed (exit code 1)"
!!! Traceback (most recent call last):
!!!   File "<string>", line 14, in <module>
!!!     curl.succeed("/nix/store/lbnnmbqapi9rlxanmq1ib9gzm9lnzpfr-curl-impersonate-test")
!!! 
!!! RequestedAssertionFailed: command `/nix/store/lbnnmbqapi9rlxanmq1ib9gzm9lnzpfr-curl-impersonate-test` failed (exit code 1)
cleanup
kill machine (pid 9)
qemu-system-x86_64: terminating on signal 15 from pid 6 (/nix/store/cfapjd2rvqrpry4grb0kljnp8bvnvfxz-python3-3.13.8/bin/python3.13)
kill machine (pid 32)
qemu-system-x86_64: terminating on signal 15 from pid 6 (/nix/store/cfapjd2rvqrpry4grb0kljnp8bvnvfxz-python3-3.13.8/bin/python3.13)
kill vlan (pid 7)
(finished: cleanup, in 0.01 seconds)

@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Nov 3, 2025
GGG-KILLER
GGG-KILLER suggested changes Nov 3, 2025
View reviewed changes
Copy link
Contributor

@GGG-KILLER GGG-KILLER left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Figured out what broke nixosTests.curl-impersonate, seems simple to fix at least 😅

pkgs/by-name/cu/curl-impersonate/package.nix
Comment on lines 171 to 191
passthru = {
curl-impersonate-ff = callPackage ./firefox { };
curl-impersonate-chrome = callPackage ./chrome { };
deps = callPackage ./deps.nix { };

updateScript = ./update.sh;

inherit (passthru.curl-impersonate-chrome) src;
# Find the correct boringssl source file
boringssl-source = builtins.head (
lib.attrValues (lib.filterAttrs (name: _: lib.strings.hasPrefix "boringssl-" name) passthru.deps)
);
boringssl-go-modules =
(buildGoModule {
inherit (passthru.boringssl-source) name;

src = passthru.boringssl-source;
vendorHash = "sha256-HepiJhj7OsV7iQHlM2yi5BITyAM04QqWRX28Rj7sRKk=";

nativeBuildInputs = [ unzip ];

proxyVendor = true;
}).goModules;
};
Copy link
Contributor

@GGG-KILLER GGG-KILLER Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few passthrus here are missing from the original package, more specifically src and tests, which breaks nixosTests.curl-impersonate

Copy link
Contributor Author

@samestep samestep Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm... @GGG-KILLER I added those just now but it doesn't seem to have fixed it; this still fails for me:

nix-build -A nixosTests.curl-impersonate

Copy link
Contributor

@GGG-KILLER GGG-KILLER Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Weird, let me check what's wrong with it now

Copy link
Contributor

@GGG-KILLER GGG-KILLER Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, I figured out, it is an error with the test itself now, all good!

@samestep samestep force-pushed the curl-impersonate-ff-drop branch from 27f6954 to 3abbc92 Compare November 3, 2025 13:57
@iedame iedame mentioned this pull request Nov 7, 2025
Closed
3 tasks
@nixpkgs-ci nixpkgs-ci bot added 12.approvals: 2 This PR was reviewed and approved by two persons. 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in any of the changed packages. 2.status: merge conflict This PR has merge conflicts with the target branch and removed 12.approvals: 1 This PR was reviewed and approved by one person. labels Nov 7, 2025
@nixpkgs-ci nixpkgs-ci bot requested review from GGG-KILLER and sarahec November 14, 2025 08:58
@nixpkgs-ci nixpkgs-ci bot removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Nov 14, 2025
@GGG-KILLER
Copy link
Contributor

GGG-KILLER commented Nov 18, 2025

Considering this is a security matter, and the aliases have been added (as @leona-ya has pointed out), is there anything else we're waiting on to merge this?

@dotlambda
Copy link
Member

dotlambda commented Dec 10, 2025

Please rebase to get rid of the merge commit. Should we mark the package as insecure on 25.05 and 25.11?

@nixpkgs-ci nixpkgs-ci bot added the 2.status: merge conflict This PR has merge conflicts with the target branch label Dec 11, 2025
@develop7
Copy link

develop7 commented Dec 16, 2025

@GGG-KILLER please rebase

@mdaniels5757 mdaniels5757 force-pushed the curl-impersonate-ff-drop branch from d0abcc7 to b6004c3 Compare December 28, 2025 02:09
@nixpkgs-ci nixpkgs-ci bot removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Dec 28, 2025
@mdaniels5757 mdaniels5757 added this pull request to the merge queue Dec 28, 2025
Merged via the queue into NixOS:master with commit ee04d5a Dec 28, 2025
26 of 30 checks passed
@samestep samestep deleted the curl-impersonate-ff-drop branch December 28, 2025 02:23
@Sigmanificient Sigmanificient mentioned this pull request Jan 3, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leona-ya leona-ya leona-ya left review comments

@emilazy emilazy emilazy left review comments

@LordGrimmauld LordGrimmauld Awaiting requested review from LordGrimmauld

@pyrox0 pyrox0 Awaiting requested review from pyrox0

@chuangzhu chuangzhu Awaiting requested review from chuangzhu

@sarahec sarahec Awaiting requested review from sarahec

+2 more reviewers

@GGG-KILLER GGG-KILLER GGG-KILLER approved these changes

@MultisampledNight MultisampledNight MultisampledNight approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: python Python is a high-level, general-purpose programming language. 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-linux: 101-500 This PR causes between 101 and 500 packages to rebuild on Linux. 12.approvals: 2 This PR was reviewed and approved by two persons. 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in any of the changed packages.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Build failure: curl-impersonate-ff

9 participants

@samestep @pyrox0 @emilazy @GGG-KILLER @dotlambda @develop7 @leona-ya @MultisampledNight @mdaniels5757