mbox series

[bug#70179,0/3] Use system nss-certs in Python.

Message ID cover.1712210069.git.efraim@flashner.co.il
Headers show
Series Use system nss-certs in Python. | expand

Message

Efraim Flashner April 4, 2024, 5:55 a.m. UTC
It turns out that the Python ecosystem bundles a version of nss-certs.
This patch series should change it so that it uses the system nss-certs
instead.

Efraim Flashner (3):
  gnu: python-certifi: Use system SSL certificates.
  gnu: python-pip: Use system SSL certificates.
  gnu: python: Use system SSL certificates.

 gnu/packages/python-build.scm  | 34 +++++++++++++++++
 gnu/packages/python-crypto.scm | 34 +++++++++++++++++
 gnu/packages/python.scm        | 67 ++++++++++++++++++++++++++++++++++
 3 files changed, 135 insertions(+)


base-commit: 188d18fc47f0d38edfe06e3e5834fa8587bd300b

Comments

Lars-Dominik Braun April 5, 2024, 1:27 a.m. UTC | #1
Hi Efraim,

> It turns out that the Python ecosystem bundles a version of nss-certs.
> This patch series should change it so that it uses the system nss-certs
> instead.

I would change the comment at the top of core.py so it mentions this is
a Guix-specific version of certifi.py, so it’s clear the package has
been altered. You probably don’t need `_CA_CERTS = None`, since the
try…except clause covers all cases.

Otherwise LGTM.

Lars
Efraim Flashner April 7, 2024, 12:06 p.m. UTC | #2
On Fri, Apr 05, 2024 at 10:27:46AM +0900, Lars-Dominik Braun wrote:
> Hi Efraim,
> 
> > It turns out that the Python ecosystem bundles a version of nss-certs.
> > This patch series should change it so that it uses the system nss-certs
> > instead.
> 
> I would change the comment at the top of core.py so it mentions this is
> a Guix-specific version of certifi.py, so it’s clear the package has
> been altered. You probably don’t need `_CA_CERTS = None`, since the
> try…except clause covers all cases.
> 
> Otherwise LGTM.

I left the initial `_CA_CERTS = None` as a sort of initial declaration
of the variable, since I don't really know python that well and I didn't
think it was correct to declare it inside the try…except.

I added the line at the top of core.py saying it was Guix specific and I
also adjusted the commit message for python mentioning the
$SSL_CERT_FILE in the natives-search-paths.

Then I went to build my home-config and I realized what I'd done with
the native-search-paths in python-3.10 and I moved it to the replacement
python so it wouldn't cause a world rebuild.

Patches pushed!
Leo Famulari April 7, 2024, 8:41 p.m. UTC | #3
On Sun, Apr 07, 2024 at 03:06:29PM +0300, Efraim Flashner wrote:
> Patches pushed!

Thanks so much Efraim!