Instead of requiring the user to bundle the certificate and private
key into a single file, provide separate options for them. This is
more in line with most other modules.
`install` copies the files before setting their mode, so there could
be a breif window where the secrets are readable by other users
without a strict umask.
Feeding `psql` the password on the command line leaks it through the
`psql` process' `/proc/<pid>/cmdline` file. Using `echo` to put the
command in a file and then feeding `psql` the file should work around
this, since `echo` is a bash builtin and thus shouldn't spawn a new
process.
This includes an overhaul of the install script, using patchelf to set
the interpreter and the libraries. This reflects a lot of what I've
learned about electron + nixos over the last few months.
This change is motivated by the fact that 1Password's version of
electron changed, probably leading to crashes that I've been seeing when
I try to update the Nix derivation to the latest versions.
Co-authored-by: Daniël de Kok <me@github.danieldk.eu>
Remove elements of the PR template that have a low signal/noise ratio,
and add one that I think would have a good signal/noise ratio.
-----
Remove:
Determined the impact on package closure size (by running `nix path-info
-S` before and after)
-----
Rationale:
This is rarely done in practice, and apart from for specific packages
this is usually not a good indicator of anything useful
It might make sense to re-introduce it with two holes to fill, but then
we would have to make a serious decision to never land without these two
numbers filled in or with too big a regression, because in practice this
box has been a no-op in many cases.
Maybe just integrating this check in nixpkgs-review would bring the most
benefit here?
-----
-----
Remove:
Ensured that relevant documentation is up to date
-----
Rationale:
This is fuzzy, “relevant documentation” is way too often hard to find
-----
-----
Add:
Added a release notes entry if the change is major or breaking
-----
Rationale:
This is way too often forgotten, and is also a self-contained easy task
-----
I couldn't find any reference as to why this dependency would be
required for 0.4.2. Digging into the changelog, it looks like 0.4.0
dropped the libswscale dependency, so this seems like it's now unneeded.
