python3Packages.requests: rely on patched certifi

The where() function in certifi has been patched to allow more consumers
of the certifi package to use the system ca-bundle.
This commit is contained in:
Martin Weinelt 2022-12-08 12:42:27 +01:00
parent b40cf0d095
commit 8456141e25
No known key found for this signature in database
GPG Key ID: 87C1E9888F856759
2 changed files with 0 additions and 65 deletions

View File

@ -1,60 +0,0 @@
From b36083efafec5a3c1c5864cd0b62367ddf3856ae Mon Sep 17 00:00:00 2001
From: Keshav Kini <keshav.kini@gmail.com>
Date: Sun, 16 May 2021 20:35:24 -0700
Subject: [PATCH] Prefer NixOS/Nix default CA bundles over certifi
Normally, requests gets its default CA bundle from the certifi
package. On NixOS and when using Nix on non-NixOS platforms, we would
rather default to using our own certificate bundles controlled by the
Nix/NixOS user.
This commit overrides requests.certs.where(), which previously was
just aliased to certifi.where(), so that now it does the following:
- When run by Nix on non-NixOS, the environment variable
$NIX_SSL_CERT_FILE will point to the CA bundle we're using, so we
use that.
- When running on NixOS, the CA bundle we're using has the static path
/etc/ssl/certs/ca-certificates.crt , so we use that.
- Otherwise, we fall back to the original behavior of using certifi's
CA bundle. Higher in the call stack, users of requests can also
explicitly specify a CA bundle to use, which overrides all this
logic.
---
requests/certs.py | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/requests/certs.py b/requests/certs.py
index d1a378d7..faf462b7 100644
--- a/requests/certs.py
+++ b/requests/certs.py
@@ -12,7 +12,23 @@ If you are packaging Requests, e.g., for a Linux distribution or a managed
environment, you can change the definition of where() to return a separately
packaged CA bundle.
"""
-from certifi import where
+
+import os
+
+import certifi
+
+
+def where():
+ nix_ssl_cert_file = os.getenv("NIX_SSL_CERT_FILE")
+ if nix_ssl_cert_file and os.path.exists(nix_ssl_cert_file):
+ return nix_ssl_cert_file
+
+ nixos_ca_bundle = "/etc/ssl/certs/ca-certificates.crt"
+ if os.path.exists(nixos_ca_bundle):
+ return nixos_ca_bundle
+
+ return certifi.where()
+
if __name__ == '__main__':
print(where())
--
2.31.1

View File

@ -27,11 +27,6 @@ buildPythonPackage rec {
hash = "sha256-fFWZsQL+3apmHIJsVqtP7ii/0X9avKHrvj5/GdfJeYM=";
};
patches = [
# Use the default NixOS CA bundle from the certifi package
./0001-Prefer-NixOS-Nix-default-CA-bundles-over-certifi.patch
];
propagatedBuildInputs = [
brotlicffi
certifi