[core-updates] Setting SSL_CERT_FILE in the build environment

[core-updates] Setting SSL_CERT_FILE in the build environment

[Ricardo Wurmus]

Hi Guix,

in issue #70179 we remove the bundled certificate file from
python-certifi, which fixes real issues with Python tools on foreign
distros.  The fix is not without side-effects, though.  On core-updates
we see a failure in python-requests, which attempts to open a
certificate bundle when loaded (in the sanity-check phase).

How can we generate a certificate bundle in the build environment?
Apparently it is not enough to just add the nss-certs package.

-- 
Ricardo

Re: [core-updates] Setting SSL_CERT_FILE in the build environment

[Ricardo Wurmus]

Ricardo Wurmus <rekado@elephly.net> writes:

> How can we generate a certificate bundle in the build environment?
> Apparently it is not enough to just add the nss-certs package.

Apparently it is totally enough to just add the nss-certs package, and
that's what I did in commit cf2fbc8f20e26c56d0e864f302a191a1d95962cd.

-- 
Ricardo

Re: [core-updates] Setting SSL_CERT_FILE in the build environment

[Ricardo Wurmus]

Ricardo Wurmus <rekado@elephly.net> writes:

> Ricardo Wurmus <rekado@elephly.net> writes:
>
>> How can we generate a certificate bundle in the build environment?
>> Apparently it is not enough to just add the nss-certs package.
>
> Apparently it is totally enough to just add the nss-certs package, and
> that's what I did in commit cf2fbc8f20e26c56d0e864f302a191a1d95962cd.

I got confused by the fact that only python-requests-next fails to
build; the older python-requests has always been fine.

So I reverted that commit and admit that I still don't have an answer to
the above question.  Ideas welcome!

-- 
Ricardo

Re: [core-updates] Setting SSL_CERT_FILE in the build environment

[Zheng Junjie]

[-- Attachment #1.1: Type: text/plain, Size: 702 bytes --]

Ricardo Wurmus <rekado@elephly.net> writes:

> Ricardo Wurmus <rekado@elephly.net> writes:
>
>> Ricardo Wurmus <rekado@elephly.net> writes:
>>
>>> How can we generate a certificate bundle in the build environment?
>>> Apparently it is not enough to just add the nss-certs package.
>>
>> Apparently it is totally enough to just add the nss-certs package, and
>> that's what I did in commit cf2fbc8f20e26c56d0e864f302a191a1d95962cd.
>
> I got confused by the fact that only python-requests-next fails to
> build; the older python-requests has always been fine.
>
> So I reverted that commit and admit that I still don't have an answer to
> the above question.  Ideas welcome!

This patch should fix it.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-gnu-python-requests-next-Fix-build.patch --]
[-- Type: text/x-patch, Size: 3527 bytes --]

From f41bf905cfb1395a53cfc0d79315148ac9ba0a79 Mon Sep 17 00:00:00 2001
Message-ID: <f41bf905cfb1395a53cfc0d79315148ac9ba0a79.1721059686.git.zhengjunjie@iscas.ac.cn>
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
Date: Tue, 16 Jul 2024 00:06:39 +0800
Subject: [PATCH] gnu: python-requests-next: Fix build.

* gnu/packages/python-web.scm (python-requests-next): Fix build.
[native-inputs]: Add nss-certs.
[arguments]: Add set-SSL_CERT_FILE phase.
<#:modules>: Adjust it.

Change-Id: I1592ef3329fdcd681df618bb12fbc205aa028be3
---
 gnu/packages/python-web.scm | 35 ++++++++++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/python-web.scm b/gnu/packages/python-web.scm
index bca7da9139..7cf54dc07a 100644
--- a/gnu/packages/python-web.scm
+++ b/gnu/packages/python-web.scm
@@ -94,6 +94,7 @@ (define-module (gnu packages python-web)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages base)
   #:use-module (gnu packages bash)
+  #:use-module (gnu packages certs)
   #:use-module (gnu packages check)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages curl)
@@ -3614,6 +3615,8 @@ (define-public python-requests-next
               (base32
                "0q5742pnibwy74169kacin3dmqg9jzmzk7qab5aq5caffcbm8djm"))))
     (build-system python-build-system)
+    (native-inputs
+     (list nss-certs))
     (propagated-inputs
      (list python-certifi
            python-charset-normalizer
@@ -3621,7 +3624,37 @@ (define-public python-requests-next
            python-urllib3))
     (arguments
      ;; FIXME: Some tests require network access.
-     '(#:tests? #f))
+     (list #:tests? #f
+           #:modules `((guix build utils)
+                       (guix build python-build-system)
+                       (rnrs io ports)
+                       (ice-9 ftw)
+                       (srfi srfi-26))
+           #:phases
+           #~(modify-phases %standard-phases
+               (add-before  'sanity-check 'set-SSL_CERT_FILE
+                 ;; adjust from (guix profiles) ca-certificate-bundle
+                 (lambda _
+                   (define (pem-file? file)
+                     (string-suffix? ".pem" file))
+                   (define (ca-files top)
+                     (let ((cert-dir (string-append top "/etc/ssl/certs")))
+                       (map (cut string-append cert-dir "/" <>)
+                            (or (scandir cert-dir pem-file?) '()))))
+                   (define (concatenate-files files result)
+                     "Make RESULT the concatenation of all of FILES."
+                     (define (dump file port)
+                       (display (call-with-input-file file get-string-all)
+                                port)
+                       (newline port))
+                     (call-with-output-file result
+                       (lambda (port)
+                         (for-each (cut dump <> port) files))))
+                   (concatenate-files (ca-files
+                                       #$(this-package-native-input
+                                          "nss-certs"))
+                                      "/tmp/ca-certificates.crt")
+                   (setenv "SSL_CERT_FILE" "/tmp/ca-certificates.crt"))))))
     (home-page "http://python-requests.org/")
     (synopsis "Python HTTP library")
     (description

base-commit: 05e6bd3efe1b03190839d2b91b09fa768c4ef83c
-- 
2.45.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: [core-updates] Setting SSL_CERT_FILE in the build environment

[Ricardo Wurmus]

Zheng Junjie <zhengjunjie@iscas.ac.cn> writes:

> This patch should fix it.

Thank you for the patch!

> From f41bf905cfb1395a53cfc0d79315148ac9ba0a79 Mon Sep 17 00:00:00 2001
> Message-ID: <f41bf905cfb1395a53cfc0d79315148ac9ba0a79.1721059686.git.zhengjunjie@iscas.ac.cn>
> From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
> Date: Tue, 16 Jul 2024 00:06:39 +0800
> Subject: [PATCH] gnu: python-requests-next: Fix build.
>
> * gnu/packages/python-web.scm (python-requests-next): Fix build.
> [native-inputs]: Add nss-certs.
> [arguments]: Add set-SSL_CERT_FILE phase.
> <#:modules>: Adjust it.

This seems rather complicated for something that may have to be added to
a number of packages.  Would it make sense to create a package
containing this bundle file, set a search path specification, and add
that to the packages needing it?

-- 
Ricardo

Re: [core-updates] Setting SSL_CERT_FILE in the build environment

[Zheng Junjie]

[-- Attachment #1.1: Type: text/plain, Size: 936 bytes --]

Ricardo Wurmus <rekado@elephly.net> writes:

> Zheng Junjie <zhengjunjie@iscas.ac.cn> writes:
>
>> This patch should fix it.
>
> Thank you for the patch!
>
>> From f41bf905cfb1395a53cfc0d79315148ac9ba0a79 Mon Sep 17 00:00:00 2001
>> Message-ID: <f41bf905cfb1395a53cfc0d79315148ac9ba0a79.1721059686.git.zhengjunjie@iscas.ac.cn>
>> From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
>> Date: Tue, 16 Jul 2024 00:06:39 +0800
>> Subject: [PATCH] gnu: python-requests-next: Fix build.
>>
>> * gnu/packages/python-web.scm (python-requests-next): Fix build.
>> [native-inputs]: Add nss-certs.
>> [arguments]: Add set-SSL_CERT_FILE phase.
>> <#:modules>: Adjust it.
>
> This seems rather complicated for something that may have to be added to
> a number of packages.  Would it make sense to create a package
> containing this bundle file, set a search path specification, and add
> that to the packages needing it?

Indeed, please try these patches


[-- Attachment #1.2: 0001-gnu-Add-nss-certs-for-test.patch --]
[-- Type: text/x-patch, Size: 3429 bytes --]

From 0ad24103d82147eece6bd546fc31a9f81e2d17fd Mon Sep 17 00:00:00 2001
Message-ID: <0ad24103d82147eece6bd546fc31a9f81e2d17fd.1721063765.git.zhengjunjie@iscas.ac.cn>
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
Date: Tue, 16 Jul 2024 01:13:35 +0800
Subject: [PATCH 1/2] gnu: Add nss-certs-for-test.

* gnu/packages/certs.scm (nss-certs-for-test): New variable.

Change-Id: Id808e058835556717a6585ecd86dd14d0d2a5039
---
 gnu/packages/certs.scm | 45 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index 449be0b35a..e2de6b168b 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;; Copyright © 2021 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name>
+;;; Copyright © 2024 Zheng Junjie <873216071@qq.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -25,6 +26,7 @@
 
 (define-module (gnu packages certs)
   #:use-module ((guix licenses) #:prefix license:)
+  #:use-module ((guix search-paths) #:select ($SSL_CERT_DIR $SSL_CERT_FILE))
   #:use-module (guix packages)
   #:use-module (guix utils)
   #:use-module (guix download)
@@ -188,6 +190,49 @@ (define-public nss-certs
     (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
     (license license:mpl2.0)))
 
+(define-public nss-certs-for-test
+  (hidden-package
+   (package
+     (inherit nss-certs)
+     (name "nss-certs-for-test")
+     (source #f)
+     (build-system trivial-build-system)
+     (native-inputs (list nss-certs))
+     (inputs '())
+     (propagated-inputs '())
+     (arguments
+      (list #:modules '((guix build utils)
+                        (rnrs io ports)
+                        (srfi srfi-26))
+            #:builder
+            #~(begin
+                (use-modules (guix build utils)
+                             (rnrs io ports)
+                             (srfi srfi-26))
+                (define certs-dir (string-append #$output "/etc/ssl/certs/"))
+                (define ca-files
+                  (find-files (string-append #+(this-package-native-input
+                                                "nss-certs")
+                                             "/etc/ssl/certs")
+                              (lambda (file stat)
+                                (string-suffix? ".pem" file))))
+                (define (concatenate-files files result)
+                  "Make RESULT the concatenation of all of FILES."
+                  (define (dump file port)
+                    (display (call-with-input-file file get-string-all) port)
+                    (newline port))
+                  (call-with-output-file result
+                    (lambda (port)
+                      (for-each (cut dump <> port) files))))
+
+                (mkdir-p certs-dir)
+                (concatenate-files
+                 ca-files (string-append certs-dir "/ca-certificates.crt"))
+                (for-each (cut install-file <> certs-dir) ca-files))))
+     (native-search-paths
+      (list $SSL_CERT_DIR
+            $SSL_CERT_FILE)))))
+
 (define-public le-certs
   (package
     (name "le-certs")

base-commit: 05e6bd3efe1b03190839d2b91b09fa768c4ef83c
-- 
2.45.2


[-- Attachment #1.3: 0002-gnu-python-requests-next-Fix-build.patch --]
[-- Type: text/x-patch, Size: 1937 bytes --]

From 5417197e22dd7efa6732ea8de188f2f94bfc3ccc Mon Sep 17 00:00:00 2001
Message-ID: <5417197e22dd7efa6732ea8de188f2f94bfc3ccc.1721063765.git.zhengjunjie@iscas.ac.cn>
In-Reply-To: <0ad24103d82147eece6bd546fc31a9f81e2d17fd.1721063765.git.zhengjunjie@iscas.ac.cn>
References: <0ad24103d82147eece6bd546fc31a9f81e2d17fd.1721063765.git.zhengjunjie@iscas.ac.cn>
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
Date: Tue, 16 Jul 2024 00:06:39 +0800
Subject: [PATCH 2/2] gnu: python-requests-next: Fix build.

* gnu/packages/python-web.scm (python-requests-next): Fix build.
[native-inputs]: Add nss-certs-for-test.

Change-Id: I1592ef3329fdcd681df618bb12fbc205aa028be3
---
 gnu/packages/python-web.scm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/gnu/packages/python-web.scm b/gnu/packages/python-web.scm
index bca7da9139..9367dfba34 100644
--- a/gnu/packages/python-web.scm
+++ b/gnu/packages/python-web.scm
@@ -65,6 +65,7 @@
 ;;; Copyright © 2024 Sharlatan Hellseher <sharlatanus@gmail.com>
 ;;; Copyright © 2024 normally_js <normally_js@posteo.net>
 ;;; Copyright © 2024 Markku Korkeala <markku.korkeala@iki.fi>
+;;; Copyright © 2024 Zheng Junjie <873216071@qq.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -94,6 +95,7 @@ (define-module (gnu packages python-web)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages base)
   #:use-module (gnu packages bash)
+  #:use-module (gnu packages certs)
   #:use-module (gnu packages check)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages curl)
@@ -3614,6 +3616,8 @@ (define-public python-requests-next
               (base32
                "0q5742pnibwy74169kacin3dmqg9jzmzk7qab5aq5caffcbm8djm"))))
     (build-system python-build-system)
+    (native-inputs
+     (list nss-certs-for-test))
     (propagated-inputs
      (list python-certifi
            python-charset-normalizer
-- 
2.45.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: [core-updates] Setting SSL_CERT_FILE in the build environment

[Zheng Junjie]

[-- Attachment #1.1: Type: text/plain, Size: 1038 bytes --]

Zheng Junjie <zhengjunjie@iscas.ac.cn> writes:

> Ricardo Wurmus <rekado@elephly.net> writes:
>
>> Zheng Junjie <zhengjunjie@iscas.ac.cn> writes:
>>
>>> This patch should fix it.
>>
>> Thank you for the patch!
>>
>>> From f41bf905cfb1395a53cfc0d79315148ac9ba0a79 Mon Sep 17 00:00:00 2001
>>> Message-ID: <f41bf905cfb1395a53cfc0d79315148ac9ba0a79.1721059686.git.zhengjunjie@iscas.ac.cn>
>>> From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
>>> Date: Tue, 16 Jul 2024 00:06:39 +0800
>>> Subject: [PATCH] gnu: python-requests-next: Fix build.
>>>
>>> * gnu/packages/python-web.scm (python-requests-next): Fix build.
>>> [native-inputs]: Add nss-certs.
>>> [arguments]: Add set-SSL_CERT_FILE phase.
>>> <#:modules>: Adjust it.
>>
>> This seems rather complicated for something that may have to be added to
>> a number of packages.  Would it make sense to create a package
>> containing this bundle file, set a search path specification, and add
>> that to the packages needing it?

I checked it out and thought this patch might be a better way.


[-- Attachment #1.2: 0001-gnu-python-requests-next-Fix-build.patch --]
[-- Type: text/x-patch, Size: 2108 bytes --]

From 8d7466eadcb543d538b1f40c4ec06a953c4aa45d Mon Sep 17 00:00:00 2001
Message-ID: <8d7466eadcb543d538b1f40c4ec06a953c4aa45d.1721115252.git.zhengjunjie@iscas.ac.cn>
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
Date: Tue, 16 Jul 2024 00:06:39 +0800
Subject: [PATCH] gnu: python-requests-next: Fix build.

* gnu/packages/python-web.scm (python-requests-next): Fix build.
[arguments]<#:phases>: Add add-check-DEFAULT_CA_BUNDLE_PATH-exists phase.

Change-Id: I1592ef3329fdcd681df618bb12fbc205aa028be3
---
 gnu/packages/python-web.scm | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/python-web.scm b/gnu/packages/python-web.scm
index bca7da9139..2926d24b40 100644
--- a/gnu/packages/python-web.scm
+++ b/gnu/packages/python-web.scm
@@ -65,6 +65,7 @@
 ;;; Copyright © 2024 Sharlatan Hellseher <sharlatanus@gmail.com>
 ;;; Copyright © 2024 normally_js <normally_js@posteo.net>
 ;;; Copyright © 2024 Markku Korkeala <markku.korkeala@iki.fi>
+;;; Copyright © 2024 Zheng Junjie <873216071@qq.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -3621,7 +3622,17 @@ (define-public python-requests-next
            python-urllib3))
     (arguments
      ;; FIXME: Some tests require network access.
-     '(#:tests? #f))
+     (list #:tests? #f
+           #:phases
+           #~(modify-phases %standard-phases
+               (add-after 'unpack 'add-check-DEFAULT_CA_BUNDLE_PATH-exists
+                 (lambda _
+                   (substitute* "src/requests/adapters.py"
+                     (("    _preloaded_ssl_context = create_urllib3_context\\(\\)")
+                      "    if os.path.exists(DEFAULT_CA_BUNDLE_PATH):
+      _preloaded_ssl_context = create_urllib3_context()")
+                     (("_preloaded_ssl_context\\.load_verify_locations\\(")
+                      "  _preloaded_ssl_context.load_verify_locations(")))))))
     (home-page "http://python-requests.org/")
     (synopsis "Python HTTP library")
     (description

base-commit: 05e6bd3efe1b03190839d2b91b09fa768c4ef83c
-- 
2.45.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: [core-updates] Setting SSL_CERT_FILE in the build environment

[Ricardo Wurmus]

Zheng Junjie <zhengjunjie@iscas.ac.cn> writes:

> Zheng Junjie <zhengjunjie@iscas.ac.cn> writes:
>
>> Ricardo Wurmus <rekado@elephly.net> writes:
>>
>>> Zheng Junjie <zhengjunjie@iscas.ac.cn> writes:
>>>
>>>> This patch should fix it.
>>>
>>> Thank you for the patch!
>>>
>>>> From f41bf905cfb1395a53cfc0d79315148ac9ba0a79 Mon Sep 17 00:00:00 2001
>>>> Message-ID: <f41bf905cfb1395a53cfc0d79315148ac9ba0a79.1721059686.git.zhengjunjie@iscas.ac.cn>
>>>> From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
>>>> Date: Tue, 16 Jul 2024 00:06:39 +0800
>>>> Subject: [PATCH] gnu: python-requests-next: Fix build.
>>>>
>>>> * gnu/packages/python-web.scm (python-requests-next): Fix build.
>>>> [native-inputs]: Add nss-certs.
>>>> [arguments]: Add set-SSL_CERT_FILE phase.
>>>> <#:modules>: Adjust it.
>>>
>>> This seems rather complicated for something that may have to be added to
>>> a number of packages.  Would it make sense to create a package
>>> containing this bundle file, set a search path specification, and add
>>> that to the packages needing it?
>
> I checked it out and thought this patch might be a better way.
>
> From 8d7466eadcb543d538b1f40c4ec06a953c4aa45d Mon Sep 17 00:00:00 2001
> Message-ID: <8d7466eadcb543d538b1f40c4ec06a953c4aa45d.1721115252.git.zhengjunjie@iscas.ac.cn>
> From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
> Date: Tue, 16 Jul 2024 00:06:39 +0800
> Subject: [PATCH] gnu: python-requests-next: Fix build.
>
> * gnu/packages/python-web.scm (python-requests-next): Fix build.
> [arguments]<#:phases>: Add add-check-DEFAULT_CA_BUNDLE_PATH-exists phase.
>
> Change-Id: I1592ef3329fdcd681df618bb12fbc205aa028be3
> ---
>  gnu/packages/python-web.scm | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/gnu/packages/python-web.scm b/gnu/packages/python-web.scm
> index bca7da9139..2926d24b40 100644
> --- a/gnu/packages/python-web.scm
> +++ b/gnu/packages/python-web.scm
> @@ -65,6 +65,7 @@
>  ;;; Copyright © 2024 Sharlatan Hellseher <sharlatanus@gmail.com>
>  ;;; Copyright © 2024 normally_js <normally_js@posteo.net>
>  ;;; Copyright © 2024 Markku Korkeala <markku.korkeala@iki.fi>
> +;;; Copyright © 2024 Zheng Junjie <873216071@qq.com>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -3621,7 +3622,17 @@ (define-public python-requests-next
>             python-urllib3))
>      (arguments
>       ;; FIXME: Some tests require network access.
> -     '(#:tests? #f))
> +     (list #:tests? #f
> +           #:phases
> +           #~(modify-phases %standard-phases
> +               (add-after 'unpack 'add-check-DEFAULT_CA_BUNDLE_PATH-exists
> +                 (lambda _
> +                   (substitute* "src/requests/adapters.py"
> +                     (("    _preloaded_ssl_context = create_urllib3_context\\(\\)")
> +                      "    if os.path.exists(DEFAULT_CA_BUNDLE_PATH):
> +      _preloaded_ssl_context = create_urllib3_context()")
> +                     (("_preloaded_ssl_context\\.load_verify_locations\\(")
> +                      "  _preloaded_ssl_context.load_verify_locations(")))))))

What happens when DEFAULT_CA_BUNDLE_PATH does not exist?

Wouldn't it silently skip initializing the SSL context?  I would not be
comfortable with this.  I think we should just satisfy the test.  It is
hard to see the full consequences of patching things here.

DEFAULT_CA_BUNDLE_PATH is the result of using the tools provided by
certifi, which has been patched to give us control over the location of
the bundle.  I think that's what we should use.

-- 
Ricardo

Re: [core-updates] Setting SSL_CERT_FILE in the build environment

[Ricardo Wurmus]

Zheng Junjie <zhengjunjie@iscas.ac.cn> writes:

> Ricardo Wurmus <rekado@elephly.net> writes:
>
>> Zheng Junjie <zhengjunjie@iscas.ac.cn> writes:
>>
>>> This patch should fix it.
>>
>> Thank you for the patch!
>>
>>> From f41bf905cfb1395a53cfc0d79315148ac9ba0a79 Mon Sep 17 00:00:00 2001
>>> Message-ID: <f41bf905cfb1395a53cfc0d79315148ac9ba0a79.1721059686.git.zhengjunjie@iscas.ac.cn>
>>> From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
>>> Date: Tue, 16 Jul 2024 00:06:39 +0800
>>> Subject: [PATCH] gnu: python-requests-next: Fix build.
>>>
>>> * gnu/packages/python-web.scm (python-requests-next): Fix build.
>>> [native-inputs]: Add nss-certs.
>>> [arguments]: Add set-SSL_CERT_FILE phase.
>>> <#:modules>: Adjust it.
>>
>> This seems rather complicated for something that may have to be added to
>> a number of packages.  Would it make sense to create a package
>> containing this bundle file, set a search path specification, and add
>> that to the packages needing it?
>
> Indeed, please try these patches
>
> From 0ad24103d82147eece6bd546fc31a9f81e2d17fd Mon Sep 17 00:00:00 2001
> Message-ID: <0ad24103d82147eece6bd546fc31a9f81e2d17fd.1721063765.git.zhengjunjie@iscas.ac.cn>
> From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
> Date: Tue, 16 Jul 2024 01:13:35 +0800
> Subject: [PATCH 1/2] gnu: Add nss-certs-for-test.
>
> * gnu/packages/certs.scm (nss-certs-for-test): New variable.
[...]
> From 5417197e22dd7efa6732ea8de188f2f94bfc3ccc Mon Sep 17 00:00:00 2001
> Message-ID: <5417197e22dd7efa6732ea8de188f2f94bfc3ccc.1721063765.git.zhengjunjie@iscas.ac.cn>
> In-Reply-To: <0ad24103d82147eece6bd546fc31a9f81e2d17fd.1721063765.git.zhengjunjie@iscas.ac.cn>
> References: <0ad24103d82147eece6bd546fc31a9f81e2d17fd.1721063765.git.zhengjunjie@iscas.ac.cn>
> From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
> Date: Tue, 16 Jul 2024 00:06:39 +0800
> Subject: [PATCH 2/2] gnu: python-requests-next: Fix build.
>
> * gnu/packages/python-web.scm (python-requests-next): Fix build.
> [native-inputs]: Add nss-certs-for-test.

I have applied them.  Thank you!

-- 
Ricardo