From patchwork Thu Apr 4 05:56:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Efraim Flashner X-Patchwork-Id: 62693 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 8DBA227BBEA; Thu, 4 Apr 2024 06:58:16 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 7AD8D27BBE2 for ; Thu, 4 Apr 2024 06:58:14 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rsG6q-00031p-VT; Thu, 04 Apr 2024 01:58:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rsG6o-00031L-QU for guix-patches@gnu.org; Thu, 04 Apr 2024 01:57:58 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rsG6o-0004cL-Hk for guix-patches@gnu.org; Thu, 04 Apr 2024 01:57:58 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rsG6t-0008QE-9I for guix-patches@gnu.org; Thu, 04 Apr 2024 01:58:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#70179] [PATCH v2 3/3] gnu: python: Use system SSL certificates. Resent-From: Efraim Flashner Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 04 Apr 2024 05:58:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70179 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 70179@debbugs.gnu.org Cc: Efraim Flashner Received: via spool by 70179-submit@debbugs.gnu.org id=B70179.171221023732069 (code B ref 70179); Thu, 04 Apr 2024 05:58:03 +0000 Received: (at 70179) by debbugs.gnu.org; 4 Apr 2024 05:57:17 +0000 Received: from localhost ([127.0.0.1]:60231 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rsG68-0008L5-Iq for submit@debbugs.gnu.org; Thu, 04 Apr 2024 01:57:17 -0400 Received: from mail-wm1-x334.google.com ([2a00:1450:4864:20::334]:53519) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rsG63-0008Js-Ub for 70179@debbugs.gnu.org; Thu, 04 Apr 2024 01:57:14 -0400 Received: by mail-wm1-x334.google.com with SMTP id 5b1f17b1804b1-415523d9824so5512385e9.3 for <70179@debbugs.gnu.org>; Wed, 03 Apr 2024 22:57:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712210221; x=1712815021; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=sk+eV9aSlXtCBeerCb+NtAcafzPRNpDMrvVbBOu5+ZI=; b=CuV79kJUzECe3KxUyY6awKoUyToNiKa9K07WjFPye/gAxIeX6I/UzLUhfbl1xb7++q 4TP0agWfQXCXKaAlC/7xg1/JT5tpTdtn3DhbPBiOrcJ9goXScHpkSmmTYb5hAJ+ZBPOZ Pnau5Bk+Au71Ft1W0O5H1y/PK8Kl88GWh/wVAK0oz4S5TEv0pIl/4/fpF+lxglA1d0q5 uso3N08epg74YZe4gUcDJnoSbRTC6Tz+8t/yqMiwC9obDVyqLsEFR+FcBjGe0DVGg++P gc4TH90x5tcGWV/JFfZA/DW3kPiFJl2U2+BfBOkmxVEg/ZBuzhWJ0fKMIhrUIYR+LKso b5vA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712210221; x=1712815021; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=sk+eV9aSlXtCBeerCb+NtAcafzPRNpDMrvVbBOu5+ZI=; b=W+NXK8gJ1yKb1JhHrANwnFrXwg0cfZ3FxqtYUsAWrHDhuZ8MLqE5j3JTKl6kD2PkY8 hX4XZzOWq4SZBEItXajGXlhcb4LSQnwHr/G2UlcjpsbdRVOaFKa8MHoHAvH660gqwTKA fzjKJT7WYIA6M7x0r/66rBDWKLgEnkU1BhvdFUHmnVLnM2w72pVWbLGQfiF7ZIapLhSf P1h0m3bmMy/EtREG3tlL9HuVHoShdjE6EYTsvAOjPrPSc6xQRuH6bGPmH+/OJyApOGzy B6cLpKqeTxZNnyUIdtL+pcu5yz7aPuLcKTF0DfTu5FXVEUno2vxwofclpS2JQgLQnRNU fU6A== X-Gm-Message-State: AOJu0YxkAngbjZ3D5BD88yjU1RyKJvfUibfJ6OPnO4AgVb+yGo5yMaMw rd/TXcLmMMnspgDs2OBbNqoRodODC0ugQ/lShrN7UeFN0AvurWoyJBc++LtATRk= X-Google-Smtp-Source: AGHT+IFJ4fGhDeOkdLh73Uqe6FRP2b103t0HEAxTwS0PR/3E1HKBwca4LGYFgM/2GDvI1OmZU+2mEA== X-Received: by 2002:a05:600c:6a92:b0:413:feed:b309 with SMTP id jl18-20020a05600c6a9200b00413feedb309mr1150469wmb.6.1712210221076; Wed, 03 Apr 2024 22:57:01 -0700 (PDT) Received: from localhost ([141.226.11.200]) by smtp.gmail.com with ESMTPSA id t10-20020a05600c198a00b004156afd6843sm1368919wmq.18.2024.04.03.22.57.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Apr 2024 22:57:00 -0700 (PDT) From: Efraim Flashner Date: Thu, 4 Apr 2024 08:56:46 +0300 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/packages/python.scm (python)[replacement]: New field. (python/fixed): Provide a python with a patched python-certifi which only offers to use the system's SSL certificates. Change-Id: Ic5bcfb6b32282a7e0628232b1dc4cd60f3f2da52 --- gnu/packages/python.scm | 67 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 12a5148cb1..3ad4c5d5e7 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -96,6 +96,7 @@ (define-module (gnu packages python) #:use-module (guix gexp) #:use-module (guix packages) #:use-module (guix download) + #:use-module (guix search-paths) #:use-module (guix utils) #:use-module (guix build-system gnu) #:use-module (guix build-system trivial) @@ -424,6 +425,7 @@ (define-public python-3.10 (inherit python-2) (name "python") (version "3.10.7") + (replacement python-3.10/fixed) (source (origin (method url-fetch) (uri (string-append "https://www.python.org/ftp/python/" @@ -590,6 +592,7 @@ (define-public python-3.10 inputs))) (native-search-paths (list (guix-pythonpath-search-path version) + $SSL_CERT_FILE ;; Used to locate tzdata by the zoneinfo module introduced in ;; Python 3.9. (search-path-specification @@ -982,6 +985,70 @@ (define-public python-3.12 (properties '((cpe-name . "python"))) (license license:psfl))) +(define python-3.10/fixed + (package + (inherit python-3.10) + (arguments + (substitute-keyword-arguments (package-arguments python-3.10) + ((#:phases phases) + #~(modify-phases #$phases + ;; Also remove the bundled CA certificates. + ;; TODO: Rename this phase when merging back into python. + (replace 'remove-windows-binaries + (lambda _ + ;; Delete .exe from embedded .whl (zip) files + (for-each + (lambda (whl) + (let ((dir "whl-content") + (circa-1980 (* 10 366 24 60 60))) + (mkdir-p dir) + (with-directory-excursion dir + (let ((whl (string-append "../" whl))) + (invoke "unzip" whl) + (for-each delete-file + (find-files "." "\\.exe$")) + (delete-file whl) + + ;; Search for cacert.pem, delete it, and rewrite the + ;; file which directs python to look for it. + (let ((cacert (find-files "." "cacert\\.pem"))) + (unless (null? cacert) + (let ((certifi (dirname (car cacert)))) + (delete-file (string-append certifi "/cacert.pem")) + (delete-file (string-append certifi "/core.py")) + (with-output-to-file (string-append certifi "/core.py") + (lambda _ + (display "\"\"\" +certifi.py +~~~~~~~~~~ +This module returns the installation location of SSL_CERT_FILE or +/etc/ssl/certs/ca-certificates.crt, or its contents. +\"\"\" +import os + +_CA_CERTS = None + +try: + _CA_CERTS = os.environ [\"SSL_CERT_FILE\"] +except: + _CA_CERTS = os.path.join(\"/etc\", \"ssl\", \"certs\", \"ca-certificates.crt\") + +def where() -> str: + return _CA_CERTS + +def contents() -> str: + with open(where(), \"r\", encoding=\"ascii\") as data: + return data.read()")))))) + + ;; Reset timestamps to prevent them from ending + ;; up in the Zip archive. + (ftw "." (lambda (file stat flag) + (utime file circa-1980 circa-1980) + #t)) + (apply invoke "zip" "-X" whl + (find-files "." #:directories? #t)))) + (delete-file-recursively dir))) + (find-files "Lib/ensurepip" "\\.whl$")))))))))) ;; Next 3.x version. (define-public python-next python-3.12)