From: Efraim Flashner <efraim@flashner.co.il>
To: 70179@debbugs.gnu.org
Cc: Efraim Flashner <efraim@flashner.co.il>
Subject: [bug#70179] [PATCH v2 3/3] gnu: python: Use system SSL certificates.
Date: Thu, 4 Apr 2024 08:56:46 +0300 [thread overview]
Message-ID: <aac22d9606efdec3fa7e61d1d766dd74bfb6b8d3.1712210069.git.efraim@flashner.co.il> (raw)
In-Reply-To: <cover.1712210069.git.efraim@flashner.co.il>
* gnu/packages/python.scm (python)[replacement]: New field.
(python/fixed): Provide a python with a patched python-certifi which
only offers to use the system's SSL certificates.
Change-Id: Ic5bcfb6b32282a7e0628232b1dc4cd60f3f2da52
---
gnu/packages/python.scm | 67 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 67 insertions(+)
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 12a5148cb1..3ad4c5d5e7 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -96,6 +96,7 @@ (define-module (gnu packages python)
#:use-module (guix gexp)
#:use-module (guix packages)
#:use-module (guix download)
+ #:use-module (guix search-paths)
#:use-module (guix utils)
#:use-module (guix build-system gnu)
#:use-module (guix build-system trivial)
@@ -424,6 +425,7 @@ (define-public python-3.10
(inherit python-2)
(name "python")
(version "3.10.7")
+ (replacement python-3.10/fixed)
(source (origin
(method url-fetch)
(uri (string-append "https://www.python.org/ftp/python/"
@@ -590,6 +592,7 @@ (define-public python-3.10
inputs)))
(native-search-paths
(list (guix-pythonpath-search-path version)
+ $SSL_CERT_FILE
;; Used to locate tzdata by the zoneinfo module introduced in
;; Python 3.9.
(search-path-specification
@@ -982,6 +985,70 @@ (define-public python-3.12
(properties '((cpe-name . "python")))
(license license:psfl)))
+(define python-3.10/fixed
+ (package
+ (inherit python-3.10)
+ (arguments
+ (substitute-keyword-arguments (package-arguments python-3.10)
+ ((#:phases phases)
+ #~(modify-phases #$phases
+ ;; Also remove the bundled CA certificates.
+ ;; TODO: Rename this phase when merging back into python.
+ (replace 'remove-windows-binaries
+ (lambda _
+ ;; Delete .exe from embedded .whl (zip) files
+ (for-each
+ (lambda (whl)
+ (let ((dir "whl-content")
+ (circa-1980 (* 10 366 24 60 60)))
+ (mkdir-p dir)
+ (with-directory-excursion dir
+ (let ((whl (string-append "../" whl)))
+ (invoke "unzip" whl)
+ (for-each delete-file
+ (find-files "." "\\.exe$"))
+ (delete-file whl)
+
+ ;; Search for cacert.pem, delete it, and rewrite the
+ ;; file which directs python to look for it.
+ (let ((cacert (find-files "." "cacert\\.pem")))
+ (unless (null? cacert)
+ (let ((certifi (dirname (car cacert))))
+ (delete-file (string-append certifi "/cacert.pem"))
+ (delete-file (string-append certifi "/core.py"))
+ (with-output-to-file (string-append certifi "/core.py")
+ (lambda _
+ (display "\"\"\"
+certifi.py
+~~~~~~~~~~
+This module returns the installation location of SSL_CERT_FILE or
+/etc/ssl/certs/ca-certificates.crt, or its contents.
+\"\"\"
+import os
+
+_CA_CERTS = None
+
+try:
+ _CA_CERTS = os.environ [\"SSL_CERT_FILE\"]
+except:
+ _CA_CERTS = os.path.join(\"/etc\", \"ssl\", \"certs\", \"ca-certificates.crt\")
+
+def where() -> str:
+ return _CA_CERTS
+
+def contents() -> str:
+ with open(where(), \"r\", encoding=\"ascii\") as data:
+ return data.read()"))))))
+
+ ;; Reset timestamps to prevent them from ending
+ ;; up in the Zip archive.
+ (ftw "." (lambda (file stat flag)
+ (utime file circa-1980 circa-1980)
+ #t))
+ (apply invoke "zip" "-X" whl
+ (find-files "." #:directories? #t))))
+ (delete-file-recursively dir)))
+ (find-files "Lib/ensurepip" "\\.whl$"))))))))))
;; Next 3.x version.
(define-public python-next python-3.12)
--
Efraim Flashner <efraim@flashner.co.il> רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
next prev parent reply other threads:[~2024-04-04 5:58 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-04 5:55 [bug#70179] [PATCH 0/3] Use system nss-certs in Python Efraim Flashner
2024-04-04 5:56 ` [bug#70179] [PATCH v2 1/3] gnu: python-certifi: Use system SSL certificates Efraim Flashner
2024-04-04 5:56 ` [bug#70179] [PATCH v2 2/3] gnu: python-pip: " Efraim Flashner
2024-04-04 5:56 ` Efraim Flashner [this message]
2024-04-05 1:27 ` [bug#70179] [PATCH 0/3] Use system nss-certs in Python Lars-Dominik Braun
2024-04-07 12:06 ` bug#70179: " Efraim Flashner
2024-04-07 20:41 ` [bug#70179] " Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aac22d9606efdec3fa7e61d1d766dd74bfb6b8d3.1712210069.git.efraim@flashner.co.il \
--to=efraim@flashner.co.il \
--cc=70179@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).