python3Packages.requests: rely on patched certifi
The where() function in certifi has been patched to allow more consumers of the certifi package to use the system ca-bundle.
This commit is contained in:
parent
b40cf0d095
commit
8456141e25
@ -1,60 +0,0 @@
|
||||
From b36083efafec5a3c1c5864cd0b62367ddf3856ae Mon Sep 17 00:00:00 2001
|
||||
From: Keshav Kini <keshav.kini@gmail.com>
|
||||
Date: Sun, 16 May 2021 20:35:24 -0700
|
||||
Subject: [PATCH] Prefer NixOS/Nix default CA bundles over certifi
|
||||
|
||||
Normally, requests gets its default CA bundle from the certifi
|
||||
package. On NixOS and when using Nix on non-NixOS platforms, we would
|
||||
rather default to using our own certificate bundles controlled by the
|
||||
Nix/NixOS user.
|
||||
|
||||
This commit overrides requests.certs.where(), which previously was
|
||||
just aliased to certifi.where(), so that now it does the following:
|
||||
|
||||
- When run by Nix on non-NixOS, the environment variable
|
||||
$NIX_SSL_CERT_FILE will point to the CA bundle we're using, so we
|
||||
use that.
|
||||
|
||||
- When running on NixOS, the CA bundle we're using has the static path
|
||||
/etc/ssl/certs/ca-certificates.crt , so we use that.
|
||||
|
||||
- Otherwise, we fall back to the original behavior of using certifi's
|
||||
CA bundle. Higher in the call stack, users of requests can also
|
||||
explicitly specify a CA bundle to use, which overrides all this
|
||||
logic.
|
||||
---
|
||||
requests/certs.py | 18 +++++++++++++++++-
|
||||
1 file changed, 17 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/requests/certs.py b/requests/certs.py
|
||||
index d1a378d7..faf462b7 100644
|
||||
--- a/requests/certs.py
|
||||
+++ b/requests/certs.py
|
||||
@@ -12,7 +12,23 @@ If you are packaging Requests, e.g., for a Linux distribution or a managed
|
||||
environment, you can change the definition of where() to return a separately
|
||||
packaged CA bundle.
|
||||
"""
|
||||
-from certifi import where
|
||||
+
|
||||
+import os
|
||||
+
|
||||
+import certifi
|
||||
+
|
||||
+
|
||||
+def where():
|
||||
+ nix_ssl_cert_file = os.getenv("NIX_SSL_CERT_FILE")
|
||||
+ if nix_ssl_cert_file and os.path.exists(nix_ssl_cert_file):
|
||||
+ return nix_ssl_cert_file
|
||||
+
|
||||
+ nixos_ca_bundle = "/etc/ssl/certs/ca-certificates.crt"
|
||||
+ if os.path.exists(nixos_ca_bundle):
|
||||
+ return nixos_ca_bundle
|
||||
+
|
||||
+ return certifi.where()
|
||||
+
|
||||
|
||||
if __name__ == '__main__':
|
||||
print(where())
|
||||
--
|
||||
2.31.1
|
||||
|
@ -27,11 +27,6 @@ buildPythonPackage rec {
|
||||
hash = "sha256-fFWZsQL+3apmHIJsVqtP7ii/0X9avKHrvj5/GdfJeYM=";
|
||||
};
|
||||
|
||||
patches = [
|
||||
# Use the default NixOS CA bundle from the certifi package
|
||||
./0001-Prefer-NixOS-Nix-default-CA-bundles-over-certifi.patch
|
||||
];
|
||||
|
||||
propagatedBuildInputs = [
|
||||
brotlicffi
|
||||
certifi
|
||||
|
Loading…
Reference in New Issue
Block a user