[bug#70179,0/3] Use system nss-certs in Python.

Message ID	cover.1712210069.git.efraim@flashner.co.il
Headers	show Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> Subject: [bug#70179] [PATCH 0/3] Use system nss-certs in Python. Resent-From: Efraim Flashner <efraim@flashner.co.il> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: lars@6xq.net, marius@gnu.org, me@bonfacemunyoki.com, sharlatanus@gmail.com, tanguy@bioneland.org, jgart@dismail.de, guix-patches@gnu.org Resent-Date: Thu, 04 Apr 2024 05:56:03 +0000 Resent-Message-ID: <handler.70179.B.171221014031386@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org To: 70179@debbugs.gnu.org Cc: Efraim Flashner <efraim@flashner.co.il>, Lars-Dominik Braun <lars@6xq.net>, Marius Bakke <marius@gnu.org>, Munyoki Kilyungi <me@bonfacemunyoki.com>, Sharlatan Hellseher <sharlatanus@gmail.com>, Tanguy Le Carrour <tanguy@bioneland.org>, jgart <jgart@dismail.de> From: Efraim Flashner <efraim@flashner.co.il> Date: Thu, 4 Apr 2024 08:55:05 +0300 Message-ID: <cover.1712210069.git.efraim@flashner.co.il> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2a00:1450:4864:20::233; envelope-from=efraim.flashner@gmail.com; helo=mail-lj1-x233.google.com X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches
Series	Use system nss-certs in Python. \| expand [bug#70179,0/3] Use system nss-certs in Python. [bug#70179,v2,1/3] gnu: python-certifi: Use system SSL certificates. [bug#70179,v2,2/3] gnu: python-pip: Use system SSL certificates. [bug#70179,v2,3/3] gnu: python: Use system SSL certificates.

Message ID

cover.1712210069.git.efraim@flashner.co.il

Headers

Subject: [bug#70179] [PATCH 0/3] Use system nss-certs in Python.
Resent-From: Efraim Flashner <efraim@flashner.co.il>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: lars@6xq.net, marius@gnu.org, me@bonfacemunyoki.com,
 sharlatanus@gmail.com, tanguy@bioneland.org, jgart@dismail.de,
 guix-patches@gnu.org
Resent-Date: Thu, 04 Apr 2024 05:56:03 +0000
Resent-Message-ID: <handler.70179.B.171221014031386@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
To: 70179@debbugs.gnu.org
Cc: Efraim Flashner <efraim@flashner.co.il>,
 Lars-Dominik Braun <lars@6xq.net>,
 Marius Bakke <marius@gnu.org>, Munyoki Kilyungi <me@bonfacemunyoki.com>,
 Sharlatan Hellseher <sharlatanus@gmail.com>,
 Tanguy Le Carrour <tanguy@bioneland.org>, jgart <jgart@dismail.de>
From: Efraim Flashner <efraim@flashner.co.il>
Date: Thu,  4 Apr 2024 08:55:05 +0300
Message-ID: <cover.1712210069.git.efraim@flashner.co.il>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2a00:1450:4864:20::233;
 envelope-from=efraim.flashner@gmail.com; helo=mail-lj1-x233.google.com
X-Spam_score_int: -16
X-Spam_score: -1.7
X-Spam_bar: -
X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001,
 FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
X-getmail-retrieved-from-mailbox: Patches

Series

Use system nss-certs in Python. | expand

Message

Efraim Flashner April 4, 2024, 5:55 a.m. UTC

It turns out that the Python ecosystem bundles a version of nss-certs.
This patch series should change it so that it uses the system nss-certs
instead.

Efraim Flashner (3):
  gnu: python-certifi: Use system SSL certificates.
  gnu: python-pip: Use system SSL certificates.
  gnu: python: Use system SSL certificates.

 gnu/packages/python-build.scm  | 34 +++++++++++++++++
 gnu/packages/python-crypto.scm | 34 +++++++++++++++++
 gnu/packages/python.scm        | 67 ++++++++++++++++++++++++++++++++++
 3 files changed, 135 insertions(+)


base-commit: 188d18fc47f0d38edfe06e3e5834fa8587bd300b

Comments

Lars-Dominik Braun April 5, 2024, 1:27 a.m. UTC | #1

Hi Efraim,

> It turns out that the Python ecosystem bundles a version of nss-certs.
> This patch series should change it so that it uses the system nss-certs
> instead.

I would change the comment at the top of core.py so it mentions this is
a Guix-specific version of certifi.py, so it’s clear the package has
been altered. You probably don’t need `_CA_CERTS = None`, since the
try…except clause covers all cases.

Otherwise LGTM.

Lars

Efraim Flashner April 7, 2024, 12:06 p.m. UTC | #2

On Fri, Apr 05, 2024 at 10:27:46AM +0900, Lars-Dominik Braun wrote:
> Hi Efraim,
> 
> > It turns out that the Python ecosystem bundles a version of nss-certs.
> > This patch series should change it so that it uses the system nss-certs
> > instead.
> 
> I would change the comment at the top of core.py so it mentions this is
> a Guix-specific version of certifi.py, so it’s clear the package has
> been altered. You probably don’t need `_CA_CERTS = None`, since the
> try…except clause covers all cases.
> 
> Otherwise LGTM.

I left the initial `_CA_CERTS = None` as a sort of initial declaration
of the variable, since I don't really know python that well and I didn't
think it was correct to declare it inside the try…except.

I added the line at the top of core.py saying it was Guix specific and I
also adjusted the commit message for python mentioning the
$SSL_CERT_FILE in the natives-search-paths.

Then I went to build my home-config and I realized what I'd done with
the native-search-paths in python-3.10 and I moved it to the replacement
python so it wouldn't cause a world rebuild.

Patches pushed!

Leo Famulari April 7, 2024, 8:41 p.m. UTC | #3

On Sun, Apr 07, 2024 at 03:06:29PM +0300, Efraim Flashner wrote:
> Patches pushed!

Thanks so much Efraim!