* [core-updates] Setting SSL_CERT_FILE in the build environment @ 2024-07-15 10:43 Ricardo Wurmus 2024-07-15 14:00 ` Ricardo Wurmus 0 siblings, 1 reply; 9+ messages in thread From: Ricardo Wurmus @ 2024-07-15 10:43 UTC (permalink / raw) To: guix-devel; +Cc: Efraim Flashner Hi Guix, in issue #70179 we remove the bundled certificate file from python-certifi, which fixes real issues with Python tools on foreign distros. The fix is not without side-effects, though. On core-updates we see a failure in python-requests, which attempts to open a certificate bundle when loaded (in the sanity-check phase). How can we generate a certificate bundle in the build environment? Apparently it is not enough to just add the nss-certs package. -- Ricardo ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [core-updates] Setting SSL_CERT_FILE in the build environment 2024-07-15 10:43 [core-updates] Setting SSL_CERT_FILE in the build environment Ricardo Wurmus @ 2024-07-15 14:00 ` Ricardo Wurmus 2024-07-15 14:40 ` Ricardo Wurmus 0 siblings, 1 reply; 9+ messages in thread From: Ricardo Wurmus @ 2024-07-15 14:00 UTC (permalink / raw) To: guix-devel; +Cc: Efraim Flashner Ricardo Wurmus <rekado@elephly.net> writes: > How can we generate a certificate bundle in the build environment? > Apparently it is not enough to just add the nss-certs package. Apparently it is totally enough to just add the nss-certs package, and that's what I did in commit cf2fbc8f20e26c56d0e864f302a191a1d95962cd. -- Ricardo ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [core-updates] Setting SSL_CERT_FILE in the build environment 2024-07-15 14:00 ` Ricardo Wurmus @ 2024-07-15 14:40 ` Ricardo Wurmus 2024-07-15 16:08 ` Zheng Junjie 0 siblings, 1 reply; 9+ messages in thread From: Ricardo Wurmus @ 2024-07-15 14:40 UTC (permalink / raw) To: guix-devel; +Cc: Efraim Flashner Ricardo Wurmus <rekado@elephly.net> writes: > Ricardo Wurmus <rekado@elephly.net> writes: > >> How can we generate a certificate bundle in the build environment? >> Apparently it is not enough to just add the nss-certs package. > > Apparently it is totally enough to just add the nss-certs package, and > that's what I did in commit cf2fbc8f20e26c56d0e864f302a191a1d95962cd. I got confused by the fact that only python-requests-next fails to build; the older python-requests has always been fine. So I reverted that commit and admit that I still don't have an answer to the above question. Ideas welcome! -- Ricardo ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [core-updates] Setting SSL_CERT_FILE in the build environment 2024-07-15 14:40 ` Ricardo Wurmus @ 2024-07-15 16:08 ` Zheng Junjie 2024-07-15 16:22 ` Ricardo Wurmus 0 siblings, 1 reply; 9+ messages in thread From: Zheng Junjie @ 2024-07-15 16:08 UTC (permalink / raw) To: Ricardo Wurmus; +Cc: guix-devel, Efraim Flashner [-- Attachment #1.1: Type: text/plain, Size: 702 bytes --] Ricardo Wurmus <rekado@elephly.net> writes: > Ricardo Wurmus <rekado@elephly.net> writes: > >> Ricardo Wurmus <rekado@elephly.net> writes: >> >>> How can we generate a certificate bundle in the build environment? >>> Apparently it is not enough to just add the nss-certs package. >> >> Apparently it is totally enough to just add the nss-certs package, and >> that's what I did in commit cf2fbc8f20e26c56d0e864f302a191a1d95962cd. > > I got confused by the fact that only python-requests-next fails to > build; the older python-requests has always been fine. > > So I reverted that commit and admit that I still don't have an answer to > the above question. Ideas welcome! This patch should fix it. [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #1.2: 0001-gnu-python-requests-next-Fix-build.patch --] [-- Type: text/x-patch, Size: 3527 bytes --] From f41bf905cfb1395a53cfc0d79315148ac9ba0a79 Mon Sep 17 00:00:00 2001 Message-ID: <f41bf905cfb1395a53cfc0d79315148ac9ba0a79.1721059686.git.zhengjunjie@iscas.ac.cn> From: Zheng Junjie <zhengjunjie@iscas.ac.cn> Date: Tue, 16 Jul 2024 00:06:39 +0800 Subject: [PATCH] gnu: python-requests-next: Fix build. * gnu/packages/python-web.scm (python-requests-next): Fix build. [native-inputs]: Add nss-certs. [arguments]: Add set-SSL_CERT_FILE phase. <#:modules>: Adjust it. Change-Id: I1592ef3329fdcd681df618bb12fbc205aa028be3 --- gnu/packages/python-web.scm | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/gnu/packages/python-web.scm b/gnu/packages/python-web.scm index bca7da9139..7cf54dc07a 100644 --- a/gnu/packages/python-web.scm +++ b/gnu/packages/python-web.scm @@ -94,6 +94,7 @@ (define-module (gnu packages python-web) #:use-module (gnu packages admin) #:use-module (gnu packages base) #:use-module (gnu packages bash) + #:use-module (gnu packages certs) #:use-module (gnu packages check) #:use-module (gnu packages compression) #:use-module (gnu packages curl) @@ -3614,6 +3615,8 @@ (define-public python-requests-next (base32 "0q5742pnibwy74169kacin3dmqg9jzmzk7qab5aq5caffcbm8djm")))) (build-system python-build-system) + (native-inputs + (list nss-certs)) (propagated-inputs (list python-certifi python-charset-normalizer @@ -3621,7 +3624,37 @@ (define-public python-requests-next python-urllib3)) (arguments ;; FIXME: Some tests require network access. - '(#:tests? #f)) + (list #:tests? #f + #:modules `((guix build utils) + (guix build python-build-system) + (rnrs io ports) + (ice-9 ftw) + (srfi srfi-26)) + #:phases + #~(modify-phases %standard-phases + (add-before 'sanity-check 'set-SSL_CERT_FILE + ;; adjust from (guix profiles) ca-certificate-bundle + (lambda _ + (define (pem-file? file) + (string-suffix? ".pem" file)) + (define (ca-files top) + (let ((cert-dir (string-append top "/etc/ssl/certs"))) + (map (cut string-append cert-dir "/" <>) + (or (scandir cert-dir pem-file?) '())))) + (define (concatenate-files files result) + "Make RESULT the concatenation of all of FILES." + (define (dump file port) + (display (call-with-input-file file get-string-all) + port) + (newline port)) + (call-with-output-file result + (lambda (port) + (for-each (cut dump <> port) files)))) + (concatenate-files (ca-files + #$(this-package-native-input + "nss-certs")) + "/tmp/ca-certificates.crt") + (setenv "SSL_CERT_FILE" "/tmp/ca-certificates.crt")))))) (home-page "http://python-requests.org/") (synopsis "Python HTTP library") (description base-commit: 05e6bd3efe1b03190839d2b91b09fa768c4ef83c -- 2.45.2 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [core-updates] Setting SSL_CERT_FILE in the build environment 2024-07-15 16:08 ` Zheng Junjie @ 2024-07-15 16:22 ` Ricardo Wurmus 2024-07-15 17:20 ` Zheng Junjie 0 siblings, 1 reply; 9+ messages in thread From: Ricardo Wurmus @ 2024-07-15 16:22 UTC (permalink / raw) To: Zheng Junjie; +Cc: guix-devel, Efraim Flashner Zheng Junjie <zhengjunjie@iscas.ac.cn> writes: > This patch should fix it. Thank you for the patch! > From f41bf905cfb1395a53cfc0d79315148ac9ba0a79 Mon Sep 17 00:00:00 2001 > Message-ID: <f41bf905cfb1395a53cfc0d79315148ac9ba0a79.1721059686.git.zhengjunjie@iscas.ac.cn> > From: Zheng Junjie <zhengjunjie@iscas.ac.cn> > Date: Tue, 16 Jul 2024 00:06:39 +0800 > Subject: [PATCH] gnu: python-requests-next: Fix build. > > * gnu/packages/python-web.scm (python-requests-next): Fix build. > [native-inputs]: Add nss-certs. > [arguments]: Add set-SSL_CERT_FILE phase. > <#:modules>: Adjust it. This seems rather complicated for something that may have to be added to a number of packages. Would it make sense to create a package containing this bundle file, set a search path specification, and add that to the packages needing it? -- Ricardo ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [core-updates] Setting SSL_CERT_FILE in the build environment 2024-07-15 16:22 ` Ricardo Wurmus @ 2024-07-15 17:20 ` Zheng Junjie 2024-07-16 7:37 ` Zheng Junjie 2024-07-22 9:50 ` Ricardo Wurmus 0 siblings, 2 replies; 9+ messages in thread From: Zheng Junjie @ 2024-07-15 17:20 UTC (permalink / raw) To: Ricardo Wurmus; +Cc: guix-devel, Efraim Flashner [-- Attachment #1.1: Type: text/plain, Size: 936 bytes --] Ricardo Wurmus <rekado@elephly.net> writes: > Zheng Junjie <zhengjunjie@iscas.ac.cn> writes: > >> This patch should fix it. > > Thank you for the patch! > >> From f41bf905cfb1395a53cfc0d79315148ac9ba0a79 Mon Sep 17 00:00:00 2001 >> Message-ID: <f41bf905cfb1395a53cfc0d79315148ac9ba0a79.1721059686.git.zhengjunjie@iscas.ac.cn> >> From: Zheng Junjie <zhengjunjie@iscas.ac.cn> >> Date: Tue, 16 Jul 2024 00:06:39 +0800 >> Subject: [PATCH] gnu: python-requests-next: Fix build. >> >> * gnu/packages/python-web.scm (python-requests-next): Fix build. >> [native-inputs]: Add nss-certs. >> [arguments]: Add set-SSL_CERT_FILE phase. >> <#:modules>: Adjust it. > > This seems rather complicated for something that may have to be added to > a number of packages. Would it make sense to create a package > containing this bundle file, set a search path specification, and add > that to the packages needing it? Indeed, please try these patches [-- Attachment #1.2: 0001-gnu-Add-nss-certs-for-test.patch --] [-- Type: text/x-patch, Size: 3429 bytes --] From 0ad24103d82147eece6bd546fc31a9f81e2d17fd Mon Sep 17 00:00:00 2001 Message-ID: <0ad24103d82147eece6bd546fc31a9f81e2d17fd.1721063765.git.zhengjunjie@iscas.ac.cn> From: Zheng Junjie <zhengjunjie@iscas.ac.cn> Date: Tue, 16 Jul 2024 01:13:35 +0800 Subject: [PATCH 1/2] gnu: Add nss-certs-for-test. * gnu/packages/certs.scm (nss-certs-for-test): New variable. Change-Id: Id808e058835556717a6585ecd86dd14d0d2a5039 --- gnu/packages/certs.scm | 45 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm index 449be0b35a..e2de6b168b 100644 --- a/gnu/packages/certs.scm +++ b/gnu/packages/certs.scm @@ -7,6 +7,7 @@ ;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;;; Copyright © 2021 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name> +;;; Copyright © 2024 Zheng Junjie <873216071@qq.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -25,6 +26,7 @@ (define-module (gnu packages certs) #:use-module ((guix licenses) #:prefix license:) + #:use-module ((guix search-paths) #:select ($SSL_CERT_DIR $SSL_CERT_FILE)) #:use-module (guix packages) #:use-module (guix utils) #:use-module (guix download) @@ -188,6 +190,49 @@ (define-public nss-certs (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS") (license license:mpl2.0))) +(define-public nss-certs-for-test + (hidden-package + (package + (inherit nss-certs) + (name "nss-certs-for-test") + (source #f) + (build-system trivial-build-system) + (native-inputs (list nss-certs)) + (inputs '()) + (propagated-inputs '()) + (arguments + (list #:modules '((guix build utils) + (rnrs io ports) + (srfi srfi-26)) + #:builder + #~(begin + (use-modules (guix build utils) + (rnrs io ports) + (srfi srfi-26)) + (define certs-dir (string-append #$output "/etc/ssl/certs/")) + (define ca-files + (find-files (string-append #+(this-package-native-input + "nss-certs") + "/etc/ssl/certs") + (lambda (file stat) + (string-suffix? ".pem" file)))) + (define (concatenate-files files result) + "Make RESULT the concatenation of all of FILES." + (define (dump file port) + (display (call-with-input-file file get-string-all) port) + (newline port)) + (call-with-output-file result + (lambda (port) + (for-each (cut dump <> port) files)))) + + (mkdir-p certs-dir) + (concatenate-files + ca-files (string-append certs-dir "/ca-certificates.crt")) + (for-each (cut install-file <> certs-dir) ca-files)))) + (native-search-paths + (list $SSL_CERT_DIR + $SSL_CERT_FILE))))) + (define-public le-certs (package (name "le-certs") base-commit: 05e6bd3efe1b03190839d2b91b09fa768c4ef83c -- 2.45.2 [-- Attachment #1.3: 0002-gnu-python-requests-next-Fix-build.patch --] [-- Type: text/x-patch, Size: 1937 bytes --] From 5417197e22dd7efa6732ea8de188f2f94bfc3ccc Mon Sep 17 00:00:00 2001 Message-ID: <5417197e22dd7efa6732ea8de188f2f94bfc3ccc.1721063765.git.zhengjunjie@iscas.ac.cn> In-Reply-To: <0ad24103d82147eece6bd546fc31a9f81e2d17fd.1721063765.git.zhengjunjie@iscas.ac.cn> References: <0ad24103d82147eece6bd546fc31a9f81e2d17fd.1721063765.git.zhengjunjie@iscas.ac.cn> From: Zheng Junjie <zhengjunjie@iscas.ac.cn> Date: Tue, 16 Jul 2024 00:06:39 +0800 Subject: [PATCH 2/2] gnu: python-requests-next: Fix build. * gnu/packages/python-web.scm (python-requests-next): Fix build. [native-inputs]: Add nss-certs-for-test. Change-Id: I1592ef3329fdcd681df618bb12fbc205aa028be3 --- gnu/packages/python-web.scm | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/gnu/packages/python-web.scm b/gnu/packages/python-web.scm index bca7da9139..9367dfba34 100644 --- a/gnu/packages/python-web.scm +++ b/gnu/packages/python-web.scm @@ -65,6 +65,7 @@ ;;; Copyright © 2024 Sharlatan Hellseher <sharlatanus@gmail.com> ;;; Copyright © 2024 normally_js <normally_js@posteo.net> ;;; Copyright © 2024 Markku Korkeala <markku.korkeala@iki.fi> +;;; Copyright © 2024 Zheng Junjie <873216071@qq.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -94,6 +95,7 @@ (define-module (gnu packages python-web) #:use-module (gnu packages admin) #:use-module (gnu packages base) #:use-module (gnu packages bash) + #:use-module (gnu packages certs) #:use-module (gnu packages check) #:use-module (gnu packages compression) #:use-module (gnu packages curl) @@ -3614,6 +3616,8 @@ (define-public python-requests-next (base32 "0q5742pnibwy74169kacin3dmqg9jzmzk7qab5aq5caffcbm8djm")))) (build-system python-build-system) + (native-inputs + (list nss-certs-for-test)) (propagated-inputs (list python-certifi python-charset-normalizer -- 2.45.2 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [core-updates] Setting SSL_CERT_FILE in the build environment 2024-07-15 17:20 ` Zheng Junjie @ 2024-07-16 7:37 ` Zheng Junjie 2024-07-18 19:35 ` Ricardo Wurmus 2024-07-22 9:50 ` Ricardo Wurmus 1 sibling, 1 reply; 9+ messages in thread From: Zheng Junjie @ 2024-07-16 7:37 UTC (permalink / raw) To: Ricardo Wurmus; +Cc: guix-devel, Efraim Flashner [-- Attachment #1.1: Type: text/plain, Size: 1038 bytes --] Zheng Junjie <zhengjunjie@iscas.ac.cn> writes: > Ricardo Wurmus <rekado@elephly.net> writes: > >> Zheng Junjie <zhengjunjie@iscas.ac.cn> writes: >> >>> This patch should fix it. >> >> Thank you for the patch! >> >>> From f41bf905cfb1395a53cfc0d79315148ac9ba0a79 Mon Sep 17 00:00:00 2001 >>> Message-ID: <f41bf905cfb1395a53cfc0d79315148ac9ba0a79.1721059686.git.zhengjunjie@iscas.ac.cn> >>> From: Zheng Junjie <zhengjunjie@iscas.ac.cn> >>> Date: Tue, 16 Jul 2024 00:06:39 +0800 >>> Subject: [PATCH] gnu: python-requests-next: Fix build. >>> >>> * gnu/packages/python-web.scm (python-requests-next): Fix build. >>> [native-inputs]: Add nss-certs. >>> [arguments]: Add set-SSL_CERT_FILE phase. >>> <#:modules>: Adjust it. >> >> This seems rather complicated for something that may have to be added to >> a number of packages. Would it make sense to create a package >> containing this bundle file, set a search path specification, and add >> that to the packages needing it? I checked it out and thought this patch might be a better way. [-- Attachment #1.2: 0001-gnu-python-requests-next-Fix-build.patch --] [-- Type: text/x-patch, Size: 2108 bytes --] From 8d7466eadcb543d538b1f40c4ec06a953c4aa45d Mon Sep 17 00:00:00 2001 Message-ID: <8d7466eadcb543d538b1f40c4ec06a953c4aa45d.1721115252.git.zhengjunjie@iscas.ac.cn> From: Zheng Junjie <zhengjunjie@iscas.ac.cn> Date: Tue, 16 Jul 2024 00:06:39 +0800 Subject: [PATCH] gnu: python-requests-next: Fix build. * gnu/packages/python-web.scm (python-requests-next): Fix build. [arguments]<#:phases>: Add add-check-DEFAULT_CA_BUNDLE_PATH-exists phase. Change-Id: I1592ef3329fdcd681df618bb12fbc205aa028be3 --- gnu/packages/python-web.scm | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/gnu/packages/python-web.scm b/gnu/packages/python-web.scm index bca7da9139..2926d24b40 100644 --- a/gnu/packages/python-web.scm +++ b/gnu/packages/python-web.scm @@ -65,6 +65,7 @@ ;;; Copyright © 2024 Sharlatan Hellseher <sharlatanus@gmail.com> ;;; Copyright © 2024 normally_js <normally_js@posteo.net> ;;; Copyright © 2024 Markku Korkeala <markku.korkeala@iki.fi> +;;; Copyright © 2024 Zheng Junjie <873216071@qq.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -3621,7 +3622,17 @@ (define-public python-requests-next python-urllib3)) (arguments ;; FIXME: Some tests require network access. - '(#:tests? #f)) + (list #:tests? #f + #:phases + #~(modify-phases %standard-phases + (add-after 'unpack 'add-check-DEFAULT_CA_BUNDLE_PATH-exists + (lambda _ + (substitute* "src/requests/adapters.py" + ((" _preloaded_ssl_context = create_urllib3_context\\(\\)") + " if os.path.exists(DEFAULT_CA_BUNDLE_PATH): + _preloaded_ssl_context = create_urllib3_context()") + (("_preloaded_ssl_context\\.load_verify_locations\\(") + " _preloaded_ssl_context.load_verify_locations("))))))) (home-page "http://python-requests.org/") (synopsis "Python HTTP library") (description base-commit: 05e6bd3efe1b03190839d2b91b09fa768c4ef83c -- 2.45.2 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [core-updates] Setting SSL_CERT_FILE in the build environment 2024-07-16 7:37 ` Zheng Junjie @ 2024-07-18 19:35 ` Ricardo Wurmus 0 siblings, 0 replies; 9+ messages in thread From: Ricardo Wurmus @ 2024-07-18 19:35 UTC (permalink / raw) To: Zheng Junjie; +Cc: guix-devel, Efraim Flashner Zheng Junjie <zhengjunjie@iscas.ac.cn> writes: > Zheng Junjie <zhengjunjie@iscas.ac.cn> writes: > >> Ricardo Wurmus <rekado@elephly.net> writes: >> >>> Zheng Junjie <zhengjunjie@iscas.ac.cn> writes: >>> >>>> This patch should fix it. >>> >>> Thank you for the patch! >>> >>>> From f41bf905cfb1395a53cfc0d79315148ac9ba0a79 Mon Sep 17 00:00:00 2001 >>>> Message-ID: <f41bf905cfb1395a53cfc0d79315148ac9ba0a79.1721059686.git.zhengjunjie@iscas.ac.cn> >>>> From: Zheng Junjie <zhengjunjie@iscas.ac.cn> >>>> Date: Tue, 16 Jul 2024 00:06:39 +0800 >>>> Subject: [PATCH] gnu: python-requests-next: Fix build. >>>> >>>> * gnu/packages/python-web.scm (python-requests-next): Fix build. >>>> [native-inputs]: Add nss-certs. >>>> [arguments]: Add set-SSL_CERT_FILE phase. >>>> <#:modules>: Adjust it. >>> >>> This seems rather complicated for something that may have to be added to >>> a number of packages. Would it make sense to create a package >>> containing this bundle file, set a search path specification, and add >>> that to the packages needing it? > > I checked it out and thought this patch might be a better way. > > From 8d7466eadcb543d538b1f40c4ec06a953c4aa45d Mon Sep 17 00:00:00 2001 > Message-ID: <8d7466eadcb543d538b1f40c4ec06a953c4aa45d.1721115252.git.zhengjunjie@iscas.ac.cn> > From: Zheng Junjie <zhengjunjie@iscas.ac.cn> > Date: Tue, 16 Jul 2024 00:06:39 +0800 > Subject: [PATCH] gnu: python-requests-next: Fix build. > > * gnu/packages/python-web.scm (python-requests-next): Fix build. > [arguments]<#:phases>: Add add-check-DEFAULT_CA_BUNDLE_PATH-exists phase. > > Change-Id: I1592ef3329fdcd681df618bb12fbc205aa028be3 > --- > gnu/packages/python-web.scm | 13 ++++++++++++- > 1 file changed, 12 insertions(+), 1 deletion(-) > > diff --git a/gnu/packages/python-web.scm b/gnu/packages/python-web.scm > index bca7da9139..2926d24b40 100644 > --- a/gnu/packages/python-web.scm > +++ b/gnu/packages/python-web.scm > @@ -65,6 +65,7 @@ > ;;; Copyright © 2024 Sharlatan Hellseher <sharlatanus@gmail.com> > ;;; Copyright © 2024 normally_js <normally_js@posteo.net> > ;;; Copyright © 2024 Markku Korkeala <markku.korkeala@iki.fi> > +;;; Copyright © 2024 Zheng Junjie <873216071@qq.com> > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -3621,7 +3622,17 @@ (define-public python-requests-next > python-urllib3)) > (arguments > ;; FIXME: Some tests require network access. > - '(#:tests? #f)) > + (list #:tests? #f > + #:phases > + #~(modify-phases %standard-phases > + (add-after 'unpack 'add-check-DEFAULT_CA_BUNDLE_PATH-exists > + (lambda _ > + (substitute* "src/requests/adapters.py" > + ((" _preloaded_ssl_context = create_urllib3_context\\(\\)") > + " if os.path.exists(DEFAULT_CA_BUNDLE_PATH): > + _preloaded_ssl_context = create_urllib3_context()") > + (("_preloaded_ssl_context\\.load_verify_locations\\(") > + " _preloaded_ssl_context.load_verify_locations("))))))) What happens when DEFAULT_CA_BUNDLE_PATH does not exist? Wouldn't it silently skip initializing the SSL context? I would not be comfortable with this. I think we should just satisfy the test. It is hard to see the full consequences of patching things here. DEFAULT_CA_BUNDLE_PATH is the result of using the tools provided by certifi, which has been patched to give us control over the location of the bundle. I think that's what we should use. -- Ricardo ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [core-updates] Setting SSL_CERT_FILE in the build environment 2024-07-15 17:20 ` Zheng Junjie 2024-07-16 7:37 ` Zheng Junjie @ 2024-07-22 9:50 ` Ricardo Wurmus 1 sibling, 0 replies; 9+ messages in thread From: Ricardo Wurmus @ 2024-07-22 9:50 UTC (permalink / raw) To: Zheng Junjie; +Cc: guix-devel, Efraim Flashner Zheng Junjie <zhengjunjie@iscas.ac.cn> writes: > Ricardo Wurmus <rekado@elephly.net> writes: > >> Zheng Junjie <zhengjunjie@iscas.ac.cn> writes: >> >>> This patch should fix it. >> >> Thank you for the patch! >> >>> From f41bf905cfb1395a53cfc0d79315148ac9ba0a79 Mon Sep 17 00:00:00 2001 >>> Message-ID: <f41bf905cfb1395a53cfc0d79315148ac9ba0a79.1721059686.git.zhengjunjie@iscas.ac.cn> >>> From: Zheng Junjie <zhengjunjie@iscas.ac.cn> >>> Date: Tue, 16 Jul 2024 00:06:39 +0800 >>> Subject: [PATCH] gnu: python-requests-next: Fix build. >>> >>> * gnu/packages/python-web.scm (python-requests-next): Fix build. >>> [native-inputs]: Add nss-certs. >>> [arguments]: Add set-SSL_CERT_FILE phase. >>> <#:modules>: Adjust it. >> >> This seems rather complicated for something that may have to be added to >> a number of packages. Would it make sense to create a package >> containing this bundle file, set a search path specification, and add >> that to the packages needing it? > > Indeed, please try these patches > > From 0ad24103d82147eece6bd546fc31a9f81e2d17fd Mon Sep 17 00:00:00 2001 > Message-ID: <0ad24103d82147eece6bd546fc31a9f81e2d17fd.1721063765.git.zhengjunjie@iscas.ac.cn> > From: Zheng Junjie <zhengjunjie@iscas.ac.cn> > Date: Tue, 16 Jul 2024 01:13:35 +0800 > Subject: [PATCH 1/2] gnu: Add nss-certs-for-test. > > * gnu/packages/certs.scm (nss-certs-for-test): New variable. [...] > From 5417197e22dd7efa6732ea8de188f2f94bfc3ccc Mon Sep 17 00:00:00 2001 > Message-ID: <5417197e22dd7efa6732ea8de188f2f94bfc3ccc.1721063765.git.zhengjunjie@iscas.ac.cn> > In-Reply-To: <0ad24103d82147eece6bd546fc31a9f81e2d17fd.1721063765.git.zhengjunjie@iscas.ac.cn> > References: <0ad24103d82147eece6bd546fc31a9f81e2d17fd.1721063765.git.zhengjunjie@iscas.ac.cn> > From: Zheng Junjie <zhengjunjie@iscas.ac.cn> > Date: Tue, 16 Jul 2024 00:06:39 +0800 > Subject: [PATCH 2/2] gnu: python-requests-next: Fix build. > > * gnu/packages/python-web.scm (python-requests-next): Fix build. > [native-inputs]: Add nss-certs-for-test. I have applied them. Thank you! -- Ricardo ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2024-07-22 9:51 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-07-15 10:43 [core-updates] Setting SSL_CERT_FILE in the build environment Ricardo Wurmus 2024-07-15 14:00 ` Ricardo Wurmus 2024-07-15 14:40 ` Ricardo Wurmus 2024-07-15 16:08 ` Zheng Junjie 2024-07-15 16:22 ` Ricardo Wurmus 2024-07-15 17:20 ` Zheng Junjie 2024-07-16 7:37 ` Zheng Junjie 2024-07-18 19:35 ` Ricardo Wurmus 2024-07-22 9:50 ` Ricardo Wurmus
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).