Received: (at 70179-done) by debbugs.gnu.org; 7 Apr 2024 20:41:27 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Apr 07 16:41:27 2024 Received: from localhost ([127.0.0.1]:44850 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rtZKR-0001BL-7q for submit <at> debbugs.gnu.org; Sun, 07 Apr 2024 16:41:27 -0400 Received: from wfout1-smtp.messagingengine.com ([64.147.123.144]:34903) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <leo@HIDDEN>) id 1rtZKO-0001Ao-J6 for 70179-done <at> debbugs.gnu.org; Sun, 07 Apr 2024 16:41:26 -0400 Received: from compute7.internal (compute7.nyi.internal [10.202.2.48]) by mailfout.west.internal (Postfix) with ESMTP id 147EA1C000B9; Sun, 7 Apr 2024 16:41:10 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute7.internal (MEProxy); Sun, 07 Apr 2024 16:41:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=mesmtp; t=1712522470; x=1712608870; bh=Ewr/IWY OwuBS/rx65Jt1K76vaWcv/0+TSCmrP0S66bI=; b=Y5J5YsNgkFliHsQXHN3hkLl E3tN9s9qUsPaZvNVyWOrje5YPJUc0BHPI3RKfm7a2gaEv06sOrnFX6RpofoqBNd1 Pz5mYd5LOOgv5zk5JMwQPSuhKqwCKX+VqCDOPx3eH8JM9L9Fs5sbpQNZrfBWqPjf AKzEFs4yraiZwDxXQwwU= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1712522470; x=1712608870; bh=Ewr/IWYOwuBS/rx65Jt1K76vaWcv /0+TSCmrP0S66bI=; b=x32LFzKKUmEjZNfRhhTM52p2hdd9vHfdUdR/gu9TLtqn Pn75qYWAl5Pejp+nPZPDWK2HsqA6n1cpmH4OrwU1LVVuoQWHEnzstpAl5S4GwX1M sA8gYVR0xkhxhG/P1Iy8jrOL+jbHapQ5o9Mf96LXfhbU/ZKY10BDKLMdu68Iqlvm GbGBjQB+tCFV2j/Mt2fFkMA2//sNKa6MJwE44nOIE3XtZ+1nZLBPsw5fZ+WTuog9 PJsy/Yb8EvU67++MGhcsjtKUGRbWuKWx+zzdeitzfzTdFcEAxohMPmFJJnaG/+IY XDPg2EVkX74gYpiO4XzkC5yjoedkbCO4R1VSRAIC+w== X-ME-Sender: <xms:5QQTZqe6xQ2IL6uf0GdPUahzpydpZY-dRtTdyYALFRxEAuq2eLz7nA> <xme:5QQTZkOfzK6aO5Dku5a7m2Ftx71r2rqNG4CTvwVpUv4X3VFJGnpITqPVZNCLIxExy y9rvbF9R7jT5mo3uw> X-ME-Received: <xmr:5QQTZrhZWic82yqhi9_inT7UPA5EJi6rcPiosI5GRcmMkJz03O_tsjmLnQ> X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudeggedgudehudcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvuffkfhggtggujgesghdtreertddtvdenucfhrhhomhepnfgvohcu hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth htvghrnhepudekveegteekleetgfeitdejgfejkeffudethedvhfeukeduleeikeejfeeh ffetnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplh gvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: <xmx:5QQTZn_vlnjUSZN4trPBeVLq47W1jjyTE-PaHsX60_OEmYAaGSYicQ> <xmx:5QQTZmvXxxqGe-bJn8Py-zXWcrAmKUQoQpGWYiBhh1-MH0UgPWhwCg> <xmx:5QQTZuF2K9S_b82SNfj7VCeHfm4h8l8tuzAMVtBXKnkfWn19LFXSZA> <xmx:5QQTZlNVWYt-lDh7y6U2UnZkTf3lTtwdmNyCJNSwtJhhW4caOy-B_A> <xmx:5gQTZgLu0g6jzMKo9UarttpU1NukoZk-wBwQik5lUdgz3NRMrUSFv4kS> Feedback-ID: i819c4023:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun, 7 Apr 2024 16:41:09 -0400 (EDT) Date: Sun, 7 Apr 2024 16:41:01 -0400 From: Leo Famulari <leo@HIDDEN> To: Efraim Flashner <efraim@HIDDEN>, Lars-Dominik Braun <lars@HIDDEN>, 70179-done <at> debbugs.gnu.org, Marius Bakke <marius@HIDDEN>, Munyoki Kilyungi <me@HIDDEN>, Sharlatan Hellseher <sharlatanus@HIDDEN>, Tanguy Le Carrour <tanguy@HIDDEN>, jgart <jgart@HIDDEN> Subject: Re: bug#70179: [PATCH 0/3] Use system nss-certs in Python. Message-ID: <ZhME3QWVLAIoiI4I@HIDDEN> References: <cover.1712210069.git.efraim@HIDDEN> <Zg9TkkZ6VTNldhTZ@philomena> <ZhKMRYXxEarT-9q5@3900XT> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ytcpiuX5mqF1HVSU" Content-Disposition: inline In-Reply-To: <ZhKMRYXxEarT-9q5@3900XT> X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 70179-done X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) --ytcpiuX5mqF1HVSU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Apr 07, 2024 at 03:06:29PM +0300, Efraim Flashner wrote: > Patches pushed! Thanks so much Efraim! --ytcpiuX5mqF1HVSU Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEaEByLu7k06ZO5T6saqwZY3V/R/8FAmYTBNkACgkQaqwZY3V/ R/8W9BAAsoeZWOcn0oikhI3VCdHEFg9PV7Vjn4joGB9widCoArJ2f27lbTjmJ2/6 8NvDqerPVoF3xnxD6umbKcG5uqCIQoPVhtXaxrs/DENQ47MDus9yuX1dccmQQ7oI QpPIwff37gSG5px0HPXYD/GkEbOmJMaduVhbxzILeSeb5XFNqrnGYvqCEtqGhYRX dvksQGVhVVWxAFJbcuOKhu1MxS0FxGlItouJ1+UzuYPOzv7A/wkpTj9q16aSF1BB VYyCd2PFFfPVtO8wFTJLXgXEAsRqclUKcVp1vbeJQHO+4ndOtkS9aB9riCUkwHir fKqjrAzBFqqkKeaPcZj4nez9SZtdVh+bxvSWAtiatcgTg+HyKg3fyE/BBaTVwHRe /KOFFSPcbc+1jQGedh2oM5T6f8O7UBNGeJTVSSEIlOHpX4hxWBi+qJZ9DCBE90e7 uTazw1W4c2eNcLdoyQ6ip4kLNEFyJDZdGs24S66XJOTYSz8BLFbSVddX8Wu8VpNK gHNK6QisJVfhXenheWpAJrfNY9h8LeC4ty3LUftBVEeanXeo5Lk0+aa7nZKfExOw 5cgH20/8TeAIJSHdyUgXO8fJADxIyKfHFdhsTuzMRLVRtNqUzVaewq74zkSdQmBH G8EIB8RHFHb1QGlDsCxY4IijgVm0nZo584kZgMSjS3RJJ31bPlM= =UUx0 -----END PGP SIGNATURE----- --ytcpiuX5mqF1HVSU--
guix-patches@HIDDEN
:bug#70179
; Package guix-patches
.
Full text available.Received: (at 70179-done) by debbugs.gnu.org; 7 Apr 2024 12:06:54 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Apr 07 08:06:53 2024 Received: from localhost ([127.0.0.1]:41764 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rtRIR-00031W-UV for submit <at> debbugs.gnu.org; Sun, 07 Apr 2024 08:06:53 -0400 Received: from mail-wr1-x433.google.com ([2a00:1450:4864:20::433]:44431) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <efraim.flashner@HIDDEN>) id 1rtRIN-00030S-Hb for 70179-done <at> debbugs.gnu.org; Sun, 07 Apr 2024 08:06:49 -0400 Received: by mail-wr1-x433.google.com with SMTP id ffacd0b85a97d-343e7c20686so1629447f8f.1 for <70179-done <at> debbugs.gnu.org>; Sun, 07 Apr 2024 05:06:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712491595; x=1713096395; darn=debbugs.gnu.org; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender:from:to :cc:subject:date:message-id:reply-to; bh=0icTTi9RPx/z+xgBTHpjUgrJ+R/d4WEIax4sdXQtk5Y=; b=Etnv4bd35XjBuFgpGhUDU78k/xKl1t7Opj7/YQKi5DyFOL+VKr34CJkT3YARsDGOon ZuHklcNEyXgF0tk8Mble9UXJv5ZJ1ioBFVkrUMin5FtUoqAlLBJWMKiw5BWdgcy2Mem9 3BEVT2pscrjGv48f/0qOyzMkCHVzlm3X2bPL1PCNekdoxnC2OEcNACwO9WfkCEyMqqkP CpFsAEgCsX+5R2z3S/fXylkmIOcJRZLhVY+89DNy4OCMTfHCBOEbw6GyAhhgKTgEVztp yghY88/Wu7Q22dFe99U58sc0ahqTApq/ufUwKq/oh+W1LME4YeAeuozQLWPgZDWw2qEy Sofg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712491595; x=1713096395; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=0icTTi9RPx/z+xgBTHpjUgrJ+R/d4WEIax4sdXQtk5Y=; b=bobUkjIZr3JoKnEF/WRA44x/r/0lkTeCZiPyNy8rnezZzf9h+D15D9KTbiqCCIMhz8 KKM4c9lkghS+h80vZ0bp7Ys1zyd/Ef2mG9/MSm/rLA1mOK055Dry39jxwPpSSfmqhSZF ceFxhXlNh6viWgmMK3TLGZ5tewc5OfC9PywbDOb933gDDStS/aTmI51tpc0wh9e3EATD xhU7J2oMo+rWhU9obQpEffeYAZtE0zEVlFn8pMkEZv9Ew7xVKZGD0bszZBjAK375SFDK txCSLgtpNoZEwuWeTxs0Ybina1E0ft7h4W4coEEWUMn2ixHE+VyRsHwUsVzqaHDUjj29 rf5Q== X-Gm-Message-State: AOJu0YweHUqFH37Zkq+U10HurBcwrO/q0CxJ08pHHjUrtGfWGMWq25sn Jx79XI1KKc3fu4dkDQnERF6MdITT0CQ0V2IuUC+jrY/GPyQYa/g/ X-Google-Smtp-Source: AGHT+IE9wjvpSRjWehpSbQxvqA4MQqeKCuMSDYy7FJ4znMpWjxusgL4K4DLSCs41ldp2vKb4gcvdbA== X-Received: by 2002:a05:600c:3b1d:b0:414:6909:f65f with SMTP id m29-20020a05600c3b1d00b004146909f65fmr5329977wms.6.1712491594355; Sun, 07 Apr 2024 05:06:34 -0700 (PDT) Received: from localhost ([141.226.11.200]) by smtp.gmail.com with ESMTPSA id u10-20020a05600c19ca00b0041632fcf272sm7198937wmq.22.2024.04.07.05.06.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 07 Apr 2024 05:06:31 -0700 (PDT) Date: Sun, 7 Apr 2024 15:06:29 +0300 From: Efraim Flashner <efraim@HIDDEN> To: Lars-Dominik Braun <lars@HIDDEN> Subject: Re: [bug#70179] [PATCH 0/3] Use system nss-certs in Python. Message-ID: <ZhKMRYXxEarT-9q5@3900XT> Mail-Followup-To: Efraim Flashner <efraim@HIDDEN>, Lars-Dominik Braun <lars@HIDDEN>, 70179-done <at> debbugs.gnu.org, Marius Bakke <marius@HIDDEN>, Munyoki Kilyungi <me@HIDDEN>, Sharlatan Hellseher <sharlatanus@HIDDEN>, Tanguy Le Carrour <tanguy@HIDDEN>, jgart <jgart@HIDDEN> References: <cover.1712210069.git.efraim@HIDDEN> <Zg9TkkZ6VTNldhTZ@philomena> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="6Dgyd3vtWhW/8463" Content-Disposition: inline In-Reply-To: <Zg9TkkZ6VTNldhTZ@philomena> X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 70179-done Cc: Tanguy Le Carrour <tanguy@HIDDEN>, Munyoki Kilyungi <me@HIDDEN>, 70179-done <at> debbugs.gnu.org, jgart <jgart@HIDDEN>, Marius Bakke <marius@HIDDEN>, Sharlatan Hellseher <sharlatanus@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.7 (/) --6Dgyd3vtWhW/8463 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 05, 2024 at 10:27:46AM +0900, Lars-Dominik Braun wrote: > Hi Efraim, >=20 > > It turns out that the Python ecosystem bundles a version of nss-certs. > > This patch series should change it so that it uses the system nss-certs > > instead. >=20 > I would change the comment at the top of core.py so it mentions this is > a Guix-specific version of certifi.py, so it=E2=80=99s clear the package = has > been altered. You probably don=E2=80=99t need `_CA_CERTS =3D None`, since= the > try=E2=80=A6except clause covers all cases. >=20 > Otherwise LGTM. I left the initial `_CA_CERTS =3D None` as a sort of initial declaration of the variable, since I don't really know python that well and I didn't think it was correct to declare it inside the try=E2=80=A6except. I added the line at the top of core.py saying it was Guix specific and I also adjusted the commit message for python mentioning the $SSL_CERT_FILE in the natives-search-paths. Then I went to build my home-config and I realized what I'd done with the native-search-paths in python-3.10 and I moved it to the replacement python so it wouldn't cause a world rebuild. Patches pushed! --=20 Efraim Flashner <efraim@HIDDEN> =D7=A8=D7=A0=D7=A9=D7=9C=D7=A4 = =D7=9D=D7=99=D7=A8=D7=A4=D7=90 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --6Dgyd3vtWhW/8463 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmYSjEIACgkQQarn3Mo9 g1H7rQ/9G4GYNDI1gXbG9D3f2cbJd+6PSm/ffAV8YyRXWCxASutvuDQ8/cPuNvzt YTyrXkA8FZb6GOF7etLsBhy9BrtzO8Z9KSEhH6AybME167GZ4FVzq5qaVz79ZjKq 4mgBLRCFRXdFKpCIyzhS+a/KLZftzbOjMUFGZoiJ+4HpdZHkuEJRF8zjuqqAU6J9 vdAqmkrQdRWelBKE5B2HOQpAoGdOMos53bRmJNwOskvTQcph5LloWV+SquX99UFM 3TsgN1AOilhTtFi03AsluFigXKCKoaAZTcbqq58JgOrtW5czL+oeX9f8wvb63fgY 9ehlc3yuywMqzZ+l2je81bAZxQ9urHszfFcaShny65C3imOfbRdNFJFVYGMDq1xE wC+Jey7W1JWRUE1UnlbufskeBi6plKyZPObYEHm7OHZC7JpRgYdr/mmkibmY8nCI InTLn7N4OsGFRyYIs8TRe+/H3QFRm2dnSrTfpqNOBRWDVKUEWL4xFAxncjFLI7pE SzhSEztM5idaIWdatA1RwB3vPKbgKw6uSctXCwC5N9RrtDks6lAsbX4m5m+qapYd lW/iwAzGe+QsGtPRQKgGFcICSSnpptIP7bubOcRohsAmraail1zv8lS60W3P7nlt HTa7j4aK6JbSVNzqw1jhB2J1rZUsYi8w60RKWtxuxOU30vunnVo= =Rhg+ -----END PGP SIGNATURE----- --6Dgyd3vtWhW/8463--
Efraim Flashner <efraim@HIDDEN>
:Efraim Flashner <efraim@HIDDEN>
:Received: (at 70179) by debbugs.gnu.org; 5 Apr 2024 01:28:14 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 04 21:28:13 2024 Received: from localhost ([127.0.0.1]:35008 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rsYNI-0007Mi-Ij for submit <at> debbugs.gnu.org; Thu, 04 Apr 2024 21:28:13 -0400 Received: from mout-p-103.mailbox.org ([80.241.56.161]:40044) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lars@HIDDEN>) id 1rsYNG-0007LW-1B for 70179 <at> debbugs.gnu.org; Thu, 04 Apr 2024 21:28:11 -0400 Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-103.mailbox.org (Postfix) with ESMTPS id 4V9gpj2v2gz9skc; Fri, 5 Apr 2024 03:27:57 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6xq.net; s=MBO0001; t=1712280477; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=E7+u1jWm55TpkoPjWEzO5vs84FBQgC7ui2zTZu9ipsI=; b=iL37V9Zeqn2NxxmH4JqCiSo8mXSEGxjmFbm1/MhVQZsTxyPkbRy6CZDvo/6QMWHCDB4edk NEFZg8djiw49YjxWEqZGiXOVs34p1iXa531CwGydmfsEeyTV1iJsY0DyDigmxJmbUWtgbw a18OogscCvGRYz053Avnyi3eEoTwIYlWROPWDI4F+bHGDuFS0ryzIEZXxfBRsnXiHatz8S Lf3Dt7nHNqnRQIhaMuxGwZE/PNSsbzUb2m4njYCg1U9ax7tmL0V1gbBEIN+hDoowU6u8mk BkvMFHkDE2Jp6n9WP2R9I3JNUdlFeyCeev70ycAB96kWKlBqpoctGG7301jhOg== Date: Fri, 5 Apr 2024 10:27:46 +0900 From: Lars-Dominik Braun <lars@HIDDEN> To: Efraim Flashner <efraim@HIDDEN> Subject: Re: [bug#70179] [PATCH 0/3] Use system nss-certs in Python. Message-ID: <Zg9TkkZ6VTNldhTZ@philomena> References: <cover.1712210069.git.efraim@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <cover.1712210069.git.efraim@HIDDEN> X-Rspamd-Queue-Id: 4V9gpj2v2gz9skc X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 70179 Cc: Tanguy Le Carrour <tanguy@HIDDEN>, Munyoki Kilyungi <me@HIDDEN>, 70179 <at> debbugs.gnu.org, jgart <jgart@HIDDEN>, Marius Bakke <marius@HIDDEN>, Sharlatan Hellseher <sharlatanus@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) Hi Efraim, > It turns out that the Python ecosystem bundles a version of nss-certs. > This patch series should change it so that it uses the system nss-certs > instead. I would change the comment at the top of core.py so it mentions this is a Guix-specific version of certifi.py, so it’s clear the package has been altered. You probably don’t need `_CA_CERTS = None`, since the try…except clause covers all cases. Otherwise LGTM. Lars
guix-patches@HIDDEN
:bug#70179
; Package guix-patches
.
Full text available.Received: (at 70179) by debbugs.gnu.org; 4 Apr 2024 05:57:17 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 04 01:57:17 2024 Received: from localhost ([127.0.0.1]:60231 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rsG68-0008L5-Iq for submit <at> debbugs.gnu.org; Thu, 04 Apr 2024 01:57:17 -0400 Received: from mail-wm1-x334.google.com ([2a00:1450:4864:20::334]:53519) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <efraim.flashner@HIDDEN>) id 1rsG63-0008Js-Ub for 70179 <at> debbugs.gnu.org; Thu, 04 Apr 2024 01:57:14 -0400 Received: by mail-wm1-x334.google.com with SMTP id 5b1f17b1804b1-415523d9824so5512385e9.3 for <70179 <at> debbugs.gnu.org>; Wed, 03 Apr 2024 22:57:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712210221; x=1712815021; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=sk+eV9aSlXtCBeerCb+NtAcafzPRNpDMrvVbBOu5+ZI=; b=CuV79kJUzECe3KxUyY6awKoUyToNiKa9K07WjFPye/gAxIeX6I/UzLUhfbl1xb7++q 4TP0agWfQXCXKaAlC/7xg1/JT5tpTdtn3DhbPBiOrcJ9goXScHpkSmmTYb5hAJ+ZBPOZ Pnau5Bk+Au71Ft1W0O5H1y/PK8Kl88GWh/wVAK0oz4S5TEv0pIl/4/fpF+lxglA1d0q5 uso3N08epg74YZe4gUcDJnoSbRTC6Tz+8t/yqMiwC9obDVyqLsEFR+FcBjGe0DVGg++P gc4TH90x5tcGWV/JFfZA/DW3kPiFJl2U2+BfBOkmxVEg/ZBuzhWJ0fKMIhrUIYR+LKso b5vA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712210221; x=1712815021; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=sk+eV9aSlXtCBeerCb+NtAcafzPRNpDMrvVbBOu5+ZI=; b=W+NXK8gJ1yKb1JhHrANwnFrXwg0cfZ3FxqtYUsAWrHDhuZ8MLqE5j3JTKl6kD2PkY8 hX4XZzOWq4SZBEItXajGXlhcb4LSQnwHr/G2UlcjpsbdRVOaFKa8MHoHAvH660gqwTKA fzjKJT7WYIA6M7x0r/66rBDWKLgEnkU1BhvdFUHmnVLnM2w72pVWbLGQfiF7ZIapLhSf P1h0m3bmMy/EtREG3tlL9HuVHoShdjE6EYTsvAOjPrPSc6xQRuH6bGPmH+/OJyApOGzy B6cLpKqeTxZNnyUIdtL+pcu5yz7aPuLcKTF0DfTu5FXVEUno2vxwofclpS2JQgLQnRNU fU6A== X-Gm-Message-State: AOJu0YxkAngbjZ3D5BD88yjU1RyKJvfUibfJ6OPnO4AgVb+yGo5yMaMw rd/TXcLmMMnspgDs2OBbNqoRodODC0ugQ/lShrN7UeFN0AvurWoyJBc++LtATRk= X-Google-Smtp-Source: AGHT+IFJ4fGhDeOkdLh73Uqe6FRP2b103t0HEAxTwS0PR/3E1HKBwca4LGYFgM/2GDvI1OmZU+2mEA== X-Received: by 2002:a05:600c:6a92:b0:413:feed:b309 with SMTP id jl18-20020a05600c6a9200b00413feedb309mr1150469wmb.6.1712210221076; Wed, 03 Apr 2024 22:57:01 -0700 (PDT) Received: from localhost ([141.226.11.200]) by smtp.gmail.com with ESMTPSA id t10-20020a05600c198a00b004156afd6843sm1368919wmq.18.2024.04.03.22.57.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Apr 2024 22:57:00 -0700 (PDT) From: Efraim Flashner <efraim@HIDDEN> To: 70179 <at> debbugs.gnu.org Subject: [PATCH v2 3/3] gnu: python: Use system SSL certificates. Date: Thu, 4 Apr 2024 08:56:46 +0300 Message-ID: <aac22d9606efdec3fa7e61d1d766dd74bfb6b8d3.1712210069.git.efraim@HIDDEN> X-Mailer: git-send-email 2.41.0 In-Reply-To: <cover.1712210069.git.efraim@HIDDEN> References: <cover.1712210069.git.efraim@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 70179 Cc: Efraim Flashner <efraim@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.7 (/) * gnu/packages/python.scm (python)[replacement]: New field. (python/fixed): Provide a python with a patched python-certifi which only offers to use the system's SSL certificates. Change-Id: Ic5bcfb6b32282a7e0628232b1dc4cd60f3f2da52 --- gnu/packages/python.scm | 67 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 12a5148cb1..3ad4c5d5e7 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -96,6 +96,7 @@ (define-module (gnu packages python) #:use-module (guix gexp) #:use-module (guix packages) #:use-module (guix download) + #:use-module (guix search-paths) #:use-module (guix utils) #:use-module (guix build-system gnu) #:use-module (guix build-system trivial) @@ -424,6 +425,7 @@ (define-public python-3.10 (inherit python-2) (name "python") (version "3.10.7") + (replacement python-3.10/fixed) (source (origin (method url-fetch) (uri (string-append "https://www.python.org/ftp/python/" @@ -590,6 +592,7 @@ (define-public python-3.10 inputs))) (native-search-paths (list (guix-pythonpath-search-path version) + $SSL_CERT_FILE ;; Used to locate tzdata by the zoneinfo module introduced in ;; Python 3.9. (search-path-specification @@ -982,6 +985,70 @@ (define-public python-3.12 (properties '((cpe-name . "python"))) (license license:psfl))) +(define python-3.10/fixed + (package + (inherit python-3.10) + (arguments + (substitute-keyword-arguments (package-arguments python-3.10) + ((#:phases phases) + #~(modify-phases #$phases + ;; Also remove the bundled CA certificates. + ;; TODO: Rename this phase when merging back into python. + (replace 'remove-windows-binaries + (lambda _ + ;; Delete .exe from embedded .whl (zip) files + (for-each + (lambda (whl) + (let ((dir "whl-content") + (circa-1980 (* 10 366 24 60 60))) + (mkdir-p dir) + (with-directory-excursion dir + (let ((whl (string-append "../" whl))) + (invoke "unzip" whl) + (for-each delete-file + (find-files "." "\\.exe$")) + (delete-file whl) + + ;; Search for cacert.pem, delete it, and rewrite the + ;; file which directs python to look for it. + (let ((cacert (find-files "." "cacert\\.pem"))) + (unless (null? cacert) + (let ((certifi (dirname (car cacert)))) + (delete-file (string-append certifi "/cacert.pem")) + (delete-file (string-append certifi "/core.py")) + (with-output-to-file (string-append certifi "/core.py") + (lambda _ + (display "\"\"\" +certifi.py +~~~~~~~~~~ +This module returns the installation location of SSL_CERT_FILE or +/etc/ssl/certs/ca-certificates.crt, or its contents. +\"\"\" +import os + +_CA_CERTS = None + +try: + _CA_CERTS = os.environ [\"SSL_CERT_FILE\"] +except: + _CA_CERTS = os.path.join(\"/etc\", \"ssl\", \"certs\", \"ca-certificates.crt\") + +def where() -> str: + return _CA_CERTS + +def contents() -> str: + with open(where(), \"r\", encoding=\"ascii\") as data: + return data.read()")))))) + + ;; Reset timestamps to prevent them from ending + ;; up in the Zip archive. + (ftw "." (lambda (file stat flag) + (utime file circa-1980 circa-1980) + #t)) + (apply invoke "zip" "-X" whl + (find-files "." #:directories? #t)))) + (delete-file-recursively dir))) + (find-files "Lib/ensurepip" "\\.whl$")))))))))) ;; Next 3.x version. (define-public python-next python-3.12) -- Efraim Flashner <efraim@HIDDEN> רנשלפ םירפא GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted
guix-patches@HIDDEN
:bug#70179
; Package guix-patches
.
Full text available.Received: (at 70179) by debbugs.gnu.org; 4 Apr 2024 05:57:16 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 04 01:57:16 2024 Received: from localhost ([127.0.0.1]:60229 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rsG67-0008L3-Sg for submit <at> debbugs.gnu.org; Thu, 04 Apr 2024 01:57:16 -0400 Received: from mail-wm1-x331.google.com ([2a00:1450:4864:20::331]:45453) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <efraim.flashner@HIDDEN>) id 1rsG62-0008JZ-9f for 70179 <at> debbugs.gnu.org; Thu, 04 Apr 2024 01:57:10 -0400 Received: by mail-wm1-x331.google.com with SMTP id 5b1f17b1804b1-4162ae2a0e4so1047575e9.3 for <70179 <at> debbugs.gnu.org>; Wed, 03 Apr 2024 22:57:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712210219; x=1712815019; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=ekAXT9ZOJT6Nt9fVZMsjmxxSkyM/Zt3Jx52VUOyAQdY=; b=krNyTkVleoxwlvOqzmWsrkwRwmIKWRlSvM6V7zlIRYG1gMZh7JJCf0SSJxyXpFo8Xs OnD7CwyncqmpZ4I3iDF+dcYj2TNNF+cb97HReu182xibEqvw79IyyNSWStQjSbj17DuD Gjk3hgwhAtDHe47OUwcLfoukaxfS1wSRY0rqljKEfk6nLfUS3dP0piMeW1zlm01FFK9N tGW6U4jkg+HfkRzTqjMpT35ntD+V3hBjWMXOLCg/2a5rdhGU+sMyHc0bdP+QGlnA15hP 9bkA147kjjtpaksJpvAJj5QusAGUxKelOLeMDXYliCzG6+Q8NBt0gbQKDkofuUwatgSp iNQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712210219; x=1712815019; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ekAXT9ZOJT6Nt9fVZMsjmxxSkyM/Zt3Jx52VUOyAQdY=; b=ozkvWv5z/VJXwMeDTK/6jtTdMx442yXBFd8LCBrE+eSM2j4qjSztxjR1PDW/bN1nD2 7Xp8wc8SniMLJlvGzcvvNhPdVmpJ7cDN4E1nKEzIa81nHDoN10PwEMvZ1rMZu//ZgzFt Z7t85RU2piGnQKv+SxhAHtKyGQ49M36hOy1BtFu07dwj8yLnsFcdvogVBPQuxEpN6wIH KLJGwYBHn1pfX+Zmsy29w45FwgLhr41eBGKN500hxqpAsVF6v7V6/sMIcuI8SYzTOSkE FpmQfaTBzJ7wH9plsM43FT2w51iNcV3FEVX5pnPGoxV7LRORO5LE+KQ+VKLv4cyOc3me xdGw== X-Gm-Message-State: AOJu0YwidXwKfqomO8SoPsJftWzvJ5BrRpgy/Rq/66qOCao0df+kwd1K UBEnrOJ73LmVvQPlchyTc5qdUIsAVBJ6KAOrGUwM+o+IqWHPGH0jjYwDstzg0H0= X-Google-Smtp-Source: AGHT+IFlILSVZQCXQl1mHdb/kDWdL8EEITnIk5CiH8/H5pm04PXKKWLxnwVkHBQahOAeffj1wGelKw== X-Received: by 2002:a05:600c:48a4:b0:414:8c5:42ce with SMTP id j36-20020a05600c48a400b0041408c542cemr1204450wmp.19.1712210219363; Wed, 03 Apr 2024 22:56:59 -0700 (PDT) Received: from localhost ([141.226.11.200]) by smtp.gmail.com with ESMTPSA id m10-20020a05600c4f4a00b0041562a58b75sm1359148wmq.13.2024.04.03.22.56.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Apr 2024 22:56:59 -0700 (PDT) From: Efraim Flashner <efraim@HIDDEN> To: 70179 <at> debbugs.gnu.org Subject: [PATCH v2 2/3] gnu: python-pip: Use system SSL certificates. Date: Thu, 4 Apr 2024 08:56:45 +0300 Message-ID: <6426f336e0f7547880b312dd8712998546397d84.1712210069.git.efraim@HIDDEN> X-Mailer: git-send-email 2.41.0 In-Reply-To: <cover.1712210069.git.efraim@HIDDEN> References: <cover.1712210069.git.efraim@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 70179 Cc: Efraim Flashner <efraim@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.7 (/) * gnu/packages/python-build.scm (python-pip)[replacement]: New field. (python-pip/fixed): Provide a python-pip with a patched python-certifi which only offers to use the system's SSL certificates. Change-Id: Icea0769b881dc8d760562f0405fa8ea8167a4bd4 --- gnu/packages/python-build.scm | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/gnu/packages/python-build.scm b/gnu/packages/python-build.scm index 2ea457cdba..5b71d1502e 100644 --- a/gnu/packages/python-build.scm +++ b/gnu/packages/python-build.scm @@ -260,6 +260,7 @@ (define-public python-pip (package (name "python-pip") (version "23.1") + (replacement python-pip/fixed) (source (origin (method url-fetch) @@ -277,6 +278,39 @@ (define-public python-pip Python Package Index (PyPI).") (license license:expat))) +(define python-pip/fixed + (package + (inherit python-pip) + (source (origin + (inherit (package-source python-pip)) + (snippet + #~(begin + (delete-file "src/pip/_vendor/certifi/cacert.pem") + (delete-file "src/pip/_vendor/certifi/core.py") + (with-output-to-file "src/pip/_vendor/certifi/core.py" + (lambda _ + (display "\"\"\" +certifi.py +~~~~~~~~~~ +This module returns the installation location of SSL_CERT_FILE or +/etc/ssl/certs/ca-certificates.crt, or its contents. +\"\"\" +import os + +_CA_CERTS = None + +try: + _CA_CERTS = os.environ [\"SSL_CERT_FILE\"] +except: + _CA_CERTS = os.path.join(\"/etc\", \"ssl\", \"certs\", \"ca-certificates.crt\") + +def where() -> str: + return _CA_CERTS + +def contents() -> str: + with open(where(), \"r\", encoding=\"ascii\") as data: + return data.read()"))))))))) + (define-public python-setuptools (package (name "python-setuptools") -- Efraim Flashner <efraim@HIDDEN> רנשלפ םירפא GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted
guix-patches@HIDDEN
:bug#70179
; Package guix-patches
.
Full text available.Received: (at 70179) by debbugs.gnu.org; 4 Apr 2024 05:57:13 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 04 01:57:12 2024 Received: from localhost ([127.0.0.1]:60226 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rsG63-0008KE-4P for submit <at> debbugs.gnu.org; Thu, 04 Apr 2024 01:57:12 -0400 Received: from mail-lj1-x233.google.com ([2a00:1450:4864:20::233]:45522) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <efraim.flashner@HIDDEN>) id 1rsG60-0008JG-Rm for 70179 <at> debbugs.gnu.org; Thu, 04 Apr 2024 01:57:10 -0400 Received: by mail-lj1-x233.google.com with SMTP id 38308e7fff4ca-2d23114b19dso6585841fa.3 for <70179 <at> debbugs.gnu.org>; Wed, 03 Apr 2024 22:57:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712210218; x=1712815018; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=BsUmFl5wRIrloXQi9/mmrAzboUVjZvnv/2oV4ilX5Ug=; b=UFuU30LuBMrOJvFd88Wg+u49sqR4hJ3CEP5ME/dUYHjjWhQO/2RxGyZtnpr/MdBdL8 gzcBJme9RMvlUAQqLTFqmSp1FTXIOiE3AZB9rfJcCQmazvWIBws6L9Rml3efhTwbJt/+ k7LvrQYNBO3/fJz+ysM5afTlmYxt8YJRM6TCtiQWkFR5z38LJk8FsIcMIPpypFBvl1Pv uZwfxVLisz+vS9KqTrGezf0AoNiujwqegeukxzxpA2LkMnrQy/eGzapATPgZY8hLbbre mbbMnDNQyurZWqzYGYFm3fWEWlM55fs8V3raj8wq46ZxOWahRPf5MTtZtMRiqyfIansI eKJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712210218; x=1712815018; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=BsUmFl5wRIrloXQi9/mmrAzboUVjZvnv/2oV4ilX5Ug=; b=WRczqZb9hA7DnkIpDnCu2ilgrTaOHeT92tr4dw0CL20Tlv9T+XPxFbTR1tvlZ0kYCe 6gDXChuvmhftjGNVk4fwWE4lfN4Rmx5NhkdcZ4USOWsqgycQvn2vgMGDd/9XDwyTOMb2 3G7qF1qMXwUB9AWXZkmXWcFeB+ve4QcJMILPyr0J+ikIx7gPo90jz7NxDd6oWJP4c8Tv 40xnVM4Qy8piw7evf6boSoqi7wJLzZAw6SwvZlGm+DwXxmXUw21GdW0qzxkcCsJJMcC+ C90LeXfjvZmoAfC30X42z+VTY5KjajoUz5LnjsQe8bJUKYvI9eita4PLOHh1RNVm/rBu IGkQ== X-Gm-Message-State: AOJu0YwSLqcU9sxMkcB7oY0+RHsL12vo/EYuWfR8lsfJDKrabclebMYf B56qOrBjhAL4bwmc5kCMzPPP8K04ljsHKm5KVgczC8/L9fsMNNqPiYU9jZ9XH8E= X-Google-Smtp-Source: AGHT+IG2KaSYwZplddo9KgdmqbSHBISS7fu4152PiLlsO1dgW5CZLqPTv5IDBEw1yBCJsMzCdnsnJQ== X-Received: by 2002:a2e:aa16:0:b0:2d6:8e88:5a6c with SMTP id bf22-20020a2eaa16000000b002d68e885a6cmr1017889ljb.49.1712210217695; Wed, 03 Apr 2024 22:56:57 -0700 (PDT) Received: from localhost ([141.226.11.200]) by smtp.gmail.com with ESMTPSA id p5-20020a05600c358500b0041486a6f9fcsm1354609wmq.37.2024.04.03.22.56.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Apr 2024 22:56:57 -0700 (PDT) From: Efraim Flashner <efraim@HIDDEN> To: 70179 <at> debbugs.gnu.org Subject: [PATCH v2 1/3] gnu: python-certifi: Use system SSL certificates. Date: Thu, 4 Apr 2024 08:56:44 +0300 Message-ID: <aaf898f5494ec9206216be228b84712e459f074f.1712210069.git.efraim@HIDDEN> X-Mailer: git-send-email 2.41.0 In-Reply-To: <cover.1712210069.git.efraim@HIDDEN> References: <cover.1712210069.git.efraim@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 70179 Cc: Efraim Flashner <efraim@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.7 (/) * gnu/packages/python-crypto.scm (python-certifi)[replacement]: New field. (python-certifi/fixed): Provide a python-certifi which only offers to use the system's SSL certificates. Change-Id: Ie1871be42988dff3cccfe24bca626149fee0f371 --- gnu/packages/python-crypto.scm | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/gnu/packages/python-crypto.scm b/gnu/packages/python-crypto.scm index 3e1472a6c9..05b6c82fd9 100644 --- a/gnu/packages/python-crypto.scm +++ b/gnu/packages/python-crypto.scm @@ -469,6 +469,7 @@ (define-public python-certifi (package (name "python-certifi") (version "2022.6.15") + (replacement python-certifi/fixed) (source (origin (method url-fetch) (uri (pypi-uri "certifi" version)) @@ -484,6 +485,39 @@ (define-public python-certifi is used by the Requests library to verify HTTPS requests.") (license license:asl2.0))) +(define python-certifi/fixed + (package + (inherit python-certifi) + (source (origin + (inherit (package-source python-certifi)) + (snippet + #~(begin + (delete-file "certifi/cacert.pem") + (delete-file "certifi/core.py") + (with-output-to-file "certifi/core.py" + (lambda _ + (display "\"\"\" +certifi.py +~~~~~~~~~~ +This module returns the installation location of SSL_CERT_FILE or +/etc/ssl/certs/ca-certificates.crt, or its contents. +\"\"\" +import os + +_CA_CERTS = None + +try: + _CA_CERTS = os.environ [\"SSL_CERT_FILE\"] +except: + _CA_CERTS = os.path.join(\"/etc\", \"ssl\", \"certs\", \"ca-certificates.crt\") + +def where() -> str: + return _CA_CERTS + +def contents() -> str: + with open(where(), \"r\", encoding=\"ascii\") as data: + return data.read()"))))))))) + (define-public python-cryptography-vectors (package (name "python-cryptography-vectors") -- Efraim Flashner <efraim@HIDDEN> רנשלפ םירפא GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted
guix-patches@HIDDEN
:bug#70179
; Package guix-patches
.
Full text available.Received: (at submit) by debbugs.gnu.org; 4 Apr 2024 05:55:40 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 04 01:55:40 2024 Received: from localhost ([127.0.0.1]:60212 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rsG4Z-0008A9-Ka for submit <at> debbugs.gnu.org; Thu, 04 Apr 2024 01:55:39 -0400 Received: from lists.gnu.org ([2001:470:142::17]:55078) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <efraim.flashner@HIDDEN>) id 1rsG4Y-00089O-0N for submit <at> debbugs.gnu.org; Thu, 04 Apr 2024 01:55:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <efraim.flashner@HIDDEN>) id 1rsG4N-0002Sy-7r for guix-patches@HIDDEN; Thu, 04 Apr 2024 01:55:27 -0400 Received: from mail-lj1-x233.google.com ([2a00:1450:4864:20::233]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <efraim.flashner@HIDDEN>) id 1rsG4K-0002SN-PT for guix-patches@HIDDEN; Thu, 04 Apr 2024 01:55:26 -0400 Received: by mail-lj1-x233.google.com with SMTP id 38308e7fff4ca-2d68651e253so7676541fa.0 for <guix-patches@HIDDEN>; Wed, 03 Apr 2024 22:55:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712210123; x=1712814923; darn=gnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:sender:from:to:cc:subject:date:message-id:reply-to; bh=UeNFVMTMQzapVFAXETwa5wlFJmU1mV2x5a4Md7so8lU=; b=X/WRAAlksE4D3VeUGcXGY4+8KgLwLRzjSObTYoVBb5thdT0mJfoYeSgqjVj3HaHtkn USUSK1vNnzLgNPIiwaMvb9OlDYMTwKvOd8wEXGSG39Pxt/RmgCXh6bJWYcXVT2ayUfNm vpGN4cawx5ipjyDosjITVXCEwpyoxXad3Xi8r4PoO7Rw5ZjPziRN7L14ICxuJINy5XaZ ep66ovncrST+nW3VmHEmWZkctG4pPdSL4bNRYytluAd5vJLLeszT5vVxUAU8r0CMpb2O 0oP14LACRDMpifOHENwxwZ+/5cZRt8yRv1I3mcR0B1Fuzg1IjQa2rV7GGaajKCBNsbd3 Zndw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712210123; x=1712814923; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:sender:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=UeNFVMTMQzapVFAXETwa5wlFJmU1mV2x5a4Md7so8lU=; b=Q+F5oGfsHewxvFA1aHIsa0rjiwE6gVDabCpiPb8cSze8Ah8uGF2G6rJm30QW8qPnKg mImX0DEVAzhelPvewbdulSLkGp5zPxmrGIoOQ8Jot51bGoZrfNpuWYN/ATF1nNTfEQCO XdE0QUBRmS1QdZLc1fwq8Ak6uAIjxDhQlqLRBSOjLrd/Rh5aoj6rPuSoE+bmvfyejX6p 5zyPMJewj2CL3xkQ3IhehbnEtWShCyKrRExmty6T/nJP43pRjmTLVHubYCKaQzWypGPP yJL0NGVkR/kYoar2WapOa4/2iKC5LOrmEPxIPCDYxVmBfgZsASWR0cta8qR1XodGFSMK 16XA== X-Gm-Message-State: AOJu0YwdyAe7hhsQMTGoCXfbS2cxFA5FhTVwL6gBxOh+3NDaam3XhydQ TS0xO4yISoRZ8neC8MTY6hytXTZGwCHRx9oAFgI3tbTPJ8sxRsIikelln1c+ysM= X-Google-Smtp-Source: AGHT+IFE4oKahIfgVgUQK/68jHGfKqJmbC0EiId1kHoGvd3lOOM0cyiJWeoKviyO23okN6OsOaoOxA== X-Received: by 2002:a2e:9c07:0:b0:2d7:7c0:b077 with SMTP id s7-20020a2e9c07000000b002d707c0b077mr1013829lji.43.1712210122409; Wed, 03 Apr 2024 22:55:22 -0700 (PDT) Received: from localhost ([141.226.11.200]) by smtp.gmail.com with ESMTPSA id e21-20020a05600c4e5500b0041629a68b12sm1211134wmq.25.2024.04.03.22.55.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Apr 2024 22:55:21 -0700 (PDT) From: Efraim Flashner <efraim@HIDDEN> To: guix-patches@HIDDEN Subject: [PATCH 0/3] Use system nss-certs in Python. Date: Thu, 4 Apr 2024 08:55:05 +0300 Message-ID: <cover.1712210069.git.efraim@HIDDEN> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 X-Debbugs-Cc: Lars-Dominik Braun <lars@HIDDEN>, Marius Bakke <marius@HIDDEN>, Munyoki Kilyungi <me@HIDDEN>, Sharlatan Hellseher <sharlatanus@HIDDEN>, Tanguy Le Carrour <tanguy@HIDDEN>, jgart <jgart@HIDDEN> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2a00:1450:4864:20::233; envelope-from=efraim.flashner@HIDDEN; helo=mail-lj1-x233.google.com X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.2 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: It turns out that the Python ecosystem bundles a version of nss-certs. This patch series should change it so that it uses the system nss-certs instead. Efraim Flashner (3): gnu: python-certifi: Use system SSL certificates. gnu: python-pip: Use system SSL certificates. gnu: python: Use system SSL certificates. Content analysis details: (1.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (efraim.flashner[at]gmail.com) 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different X-Debbugs-Envelope-To: submit Cc: Efraim Flashner <efraim@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 0.2 (/) It turns out that the Python ecosystem bundles a version of nss-certs. This patch series should change it so that it uses the system nss-certs instead. Efraim Flashner (3): gnu: python-certifi: Use system SSL certificates. gnu: python-pip: Use system SSL certificates. gnu: python: Use system SSL certificates. gnu/packages/python-build.scm | 34 +++++++++++++++++ gnu/packages/python-crypto.scm | 34 +++++++++++++++++ gnu/packages/python.scm | 67 ++++++++++++++++++++++++++++++++++ 3 files changed, 135 insertions(+) base-commit: 188d18fc47f0d38edfe06e3e5834fa8587bd300b -- Efraim Flashner <efraim@HIDDEN> רנשלפ םירפא GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted
Efraim Flashner <efraim@HIDDEN>
:lars@HIDDEN, marius@HIDDEN, me@HIDDEN, sharlatanus@HIDDEN, tanguy@HIDDEN, jgart@HIDDEN, guix-patches@HIDDEN
.
Full text available.lars@HIDDEN, marius@HIDDEN, me@HIDDEN, sharlatanus@HIDDEN, tanguy@HIDDEN, jgart@HIDDEN, guix-patches@HIDDEN
:bug#70179
; Package guix-patches
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.