From c9d833affcfca1d2c98ab858938dff8c2d8250a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?= Date: Thu, 9 Mar 2023 10:38:58 +0700 Subject: [PATCH 1/7] python3-certifi: use system cacert --- .../patches/system-cacert.patch | 53 +++++++++++++++++++ srcpkgs/python3-certifi/template | 9 ++-- 2 files changed, 59 insertions(+), 3 deletions(-) create mode 100644 srcpkgs/python3-certifi/patches/system-cacert.patch diff --git a/srcpkgs/python3-certifi/patches/system-cacert.patch b/srcpkgs/python3-certifi/patches/system-cacert.patch new file mode 100644 index 000000000000..7e41029aa1ea --- /dev/null +++ b/srcpkgs/python3-certifi/patches/system-cacert.patch @@ -0,0 +1,53 @@ +--- a/certifi/core.py ++++ b/certifi/core.py +@@ -10,36 +10,15 @@ import sys + if sys.version_info >= (3, 11): + + from importlib.resources import as_file, files ++ from pathlib import Path + +- _CACERT_CTX = None +- _CACERT_PATH = None ++ _CACERT_PATH = '/etc/ssl/certs.pem' + + def where() -> str: +- # This is slightly terrible, but we want to delay extracting the file +- # in cases where we're inside of a zipimport situation until someone +- # actually calls where(), but we don't want to re-extract the file +- # on every call of where(), so we'll do it once then store it in a +- # global variable. +- global _CACERT_CTX +- global _CACERT_PATH +- if _CACERT_PATH is None: +- # This is slightly janky, the importlib.resources API wants you to +- # manage the cleanup of this file, so it doesn't actually return a +- # path, it returns a context manager that will give you the path +- # when you enter it and will do any cleanup when you leave it. In +- # the common case of not needing a temporary file, it will just +- # return the file system location and the __exit__() is a no-op. +- # +- # We also have to hold onto the actual context manager, because +- # it will do the cleanup whenever it gets garbage collected, so +- # we will also store that at the global level as well. +- _CACERT_CTX = as_file(files("certifi").joinpath("cacert.pem")) +- _CACERT_PATH = str(_CACERT_CTX.__enter__()) +- + return _CACERT_PATH + + def contents() -> str: +- return files("certifi").joinpath("cacert.pem").read_text(encoding="ascii") ++ return Path(_CACERT_PATH).read_text(encoding="ascii") + + elif sys.version_info >= (3, 7): + +--- a/setup.py ++++ b/setup.py +@@ -41,7 +41,7 @@ setup( + 'certifi', + ], + package_dir={'certifi': 'certifi'}, +- package_data={'certifi': ['*.pem', 'py.typed']}, ++ package_data={'certifi': ['py.typed']}, + # data_files=[('certifi', ['certifi/cacert.pem'])], + include_package_data=True, + zip_safe=False, diff --git a/srcpkgs/python3-certifi/template b/srcpkgs/python3-certifi/template index f58123986d63..c494c9721643 100644 --- a/srcpkgs/python3-certifi/template +++ b/srcpkgs/python3-certifi/template @@ -1,7 +1,7 @@ # Template file for 'python3-certifi' pkgname=python3-certifi version=2022.09.24 -revision=2 +revision=3 build_style=python3-module hostmakedepends="python3-setuptools" depends="python3" @@ -12,7 +12,10 @@ homepage="https://certifi.io" distfiles="https://github.com/certifi/python-certifi/archive/${version}.tar.gz" checksum=8c1db7f2a3b272e8a90b2e1910763930fa81e2512fbb96cb7a25787d63765c78 +post_extract() { + rm -f certifi/cacert.pem +} + do_check() { - cd build/lib - python3 -c 'import certifi as m; print(m)' + python3 -m unittest } From 0120e443d873d428acf176a987293a83c1cb5ad0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?= Date: Thu, 9 Mar 2023 10:45:29 +0700 Subject: [PATCH 2/7] python3-pip: use system CACert --- .../python3-pip/patches/system-cacert.patch | 42 +++++++++++++++++++ srcpkgs/python3-pip/template | 6 ++- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 srcpkgs/python3-pip/patches/system-cacert.patch diff --git a/srcpkgs/python3-pip/patches/system-cacert.patch b/srcpkgs/python3-pip/patches/system-cacert.patch new file mode 100644 index 000000000000..28fded3e7b48 --- /dev/null +++ b/srcpkgs/python3-pip/patches/system-cacert.patch @@ -0,0 +1,42 @@ +--- a/src/pip/_vendor/certifi/core.py ++++ b/src/pip/_vendor/certifi/core.py +@@ -10,36 +10,15 @@ import sys + if sys.version_info >= (3, 11): + + from importlib.resources import as_file, files ++ from pathlib import Path + +- _CACERT_CTX = None +- _CACERT_PATH = None ++ _CACERT_PATH = '/etc/ssl/certs.pem' + + def where() -> str: +- # This is slightly terrible, but we want to delay extracting the file +- # in cases where we're inside of a zipimport situation until someone +- # actually calls where(), but we don't want to re-extract the file +- # on every call of where(), so we'll do it once then store it in a +- # global variable. +- global _CACERT_CTX +- global _CACERT_PATH +- if _CACERT_PATH is None: +- # This is slightly janky, the importlib.resources API wants you to +- # manage the cleanup of this file, so it doesn't actually return a +- # path, it returns a context manager that will give you the path +- # when you enter it and will do any cleanup when you leave it. In +- # the common case of not needing a temporary file, it will just +- # return the file system location and the __exit__() is a no-op. +- # +- # We also have to hold onto the actual context manager, because +- # it will do the cleanup whenever it gets garbage collected, so +- # we will also store that at the global level as well. +- _CACERT_CTX = as_file(files("pip._vendor.certifi").joinpath("cacert.pem")) +- _CACERT_PATH = str(_CACERT_CTX.__enter__()) +- + return _CACERT_PATH + + def contents() -> str: +- return files("pip._vendor.certifi").joinpath("cacert.pem").read_text(encoding="ascii") ++ return Path(_CACERT_PATH).read_text(encoding="ascii") + + elif sys.version_info >= (3, 7): + diff --git a/srcpkgs/python3-pip/template b/srcpkgs/python3-pip/template index 5f928c3b6df1..66afa47f72f4 100644 --- a/srcpkgs/python3-pip/template +++ b/srcpkgs/python3-pip/template @@ -1,7 +1,7 @@ # Template file for 'python3-pip' pkgname=python3-pip version=23.0.1 -revision=1 +revision=2 build_style=python3-module hostmakedepends="python3-setuptools" depends="python3-setuptools" @@ -15,6 +15,10 @@ checksum=cd015ea1bfb0fcef59d8a286c1f8bebcb983f6317719d415dc5351efb7cd7024 # Tests have unpackaged dependencies make_check=no +post_extract() { + rm -f src/pip/_vendor/certifi/cacert.pem +} + post_install() { vlicense LICENSE.txt ln -s pip3 "${DESTDIR}/usr/bin/pip" From 6f821a951a6c858cb59c53dc8a9d0b0d844894b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?= Date: Thu, 9 Mar 2023 10:56:09 +0700 Subject: [PATCH 3/7] python-pip: use system CACert --- .../python-pip/patches/system-cacert.patch | 68 +++++++++++++++++++ srcpkgs/python-pip/template | 6 +- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 srcpkgs/python-pip/patches/system-cacert.patch diff --git a/srcpkgs/python-pip/patches/system-cacert.patch b/srcpkgs/python-pip/patches/system-cacert.patch new file mode 100644 index 000000000000..7814bdb742d9 --- /dev/null +++ b/srcpkgs/python-pip/patches/system-cacert.patch @@ -0,0 +1,68 @@ +--- a/src/pip/_vendor/certifi/core.py ++++ b/src/pip/_vendor/certifi/core.py +@@ -8,53 +8,18 @@ This module returns the installation loc + """ + import os + +-try: +- from importlib.resources import path as get_path, read_text +- +- _CACERT_CTX = None +- _CACERT_PATH = None +- +- def where(): +- # This is slightly terrible, but we want to delay extracting the file +- # in cases where we're inside of a zipimport situation until someone +- # actually calls where(), but we don't want to re-extract the file +- # on every call of where(), so we'll do it once then store it in a +- # global variable. +- global _CACERT_CTX +- global _CACERT_PATH +- if _CACERT_PATH is None: +- # This is slightly janky, the importlib.resources API wants you to +- # manage the cleanup of this file, so it doesn't actually return a +- # path, it returns a context manager that will give you the path +- # when you enter it and will do any cleanup when you leave it. In +- # the common case of not needing a temporary file, it will just +- # return the file system location and the __exit__() is a no-op. +- # +- # We also have to hold onto the actual context manager, because +- # it will do the cleanup whenever it gets garbage collected, so +- # we will also store that at the global level as well. +- _CACERT_CTX = get_path("pip._vendor.certifi", "cacert.pem") +- _CACERT_PATH = str(_CACERT_CTX.__enter__()) +- +- return _CACERT_PATH +- +- +-except ImportError: +- # This fallback will work for Python versions prior to 3.7 that lack the +- # importlib.resources module but relies on the existing `where` function +- # so won't address issues with environments like PyOxidizer that don't set +- # __file__ on modules. +- def read_text(_module, _path, encoding="ascii"): +- with open(where(), "r", encoding=encoding) as data: +- return data.read() +- +- # If we don't have importlib.resources, then we will just do the old logic +- # of assuming we're on the filesystem and munge the path directly. +- def where(): +- f = os.path.dirname(__file__) +- +- return os.path.join(f, "cacert.pem") +- ++# This fallback will work for Python versions prior to 3.7 that lack the ++# importlib.resources module but relies on the existing `where` function ++# so won't address issues with environments like PyOxidizer that don't set ++# __file__ on modules. ++def read_text(_module, _path, encoding="ascii"): ++ with open(where(), "r", encoding=encoding) as data: ++ return data.read() ++ ++# If we don't have importlib.resources, then we will just do the old logic ++# of assuming we're on the filesystem and munge the path directly. ++def where(): ++ return '/etc/ssl/certs.pem' + + def contents(): + return read_text("certifi", "cacert.pem", encoding="ascii") diff --git a/srcpkgs/python-pip/template b/srcpkgs/python-pip/template index 00d8875f2f9e..7e50aa7caadf 100644 --- a/srcpkgs/python-pip/template +++ b/srcpkgs/python-pip/template @@ -1,7 +1,7 @@ # Template file for 'python-pip' pkgname=python-pip version=20.3.4 -revision=1 +revision=2 build_style=python2-module hostmakedepends="python-setuptools" depends="python-setuptools" @@ -13,6 +13,10 @@ changelog="https://raw.githubusercontent.com/pypa/pip/master/NEWS.rst" distfiles="${PYPI_SITE}/p/pip/pip-${version}.tar.gz" checksum=6773934e5f5fc3eaa8c5a44949b5b924fc122daa0a8aa9f80c835b4ca2a543fc +post_extract() { + rm -f src/pip/_vendor/certifi/cacert.pem +} + post_install() { vlicense LICENSE.txt mv ${DESTDIR}/usr/bin/pip{,2} From ed9ecba7ecd97cc3264223123051adb9a05d6757 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?= Date: Thu, 9 Mar 2023 11:04:52 +0700 Subject: [PATCH 4/7] python3-botocore: use system CACert --- .../patches/system-cacert.patch | 19 +++++++++++++++++++ srcpkgs/python3-botocore/template | 5 +++-- 2 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 srcpkgs/python3-botocore/patches/system-cacert.patch diff --git a/srcpkgs/python3-botocore/patches/system-cacert.patch b/srcpkgs/python3-botocore/patches/system-cacert.patch new file mode 100644 index 000000000000..ea4b7057e2d3 --- /dev/null +++ b/srcpkgs/python3-botocore/patches/system-cacert.patch @@ -0,0 +1,19 @@ +--- a/botocore/httpsession.py ++++ b/botocore/httpsession.py +@@ -53,13 +53,10 @@ filter_ssl_warnings() + logger = logging.getLogger(__name__) + DEFAULT_TIMEOUT = 60 + MAX_POOL_CONNECTIONS = 10 +-DEFAULT_CA_BUNDLE = os.path.join(os.path.dirname(__file__), 'cacert.pem') ++DEFAULT_CA_BUNDLE = '/etc/ssl/certs.pem' + +-try: +- from certifi import where +-except ImportError: +- def where(): +- return DEFAULT_CA_BUNDLE ++def where(): ++ return DEFAULT_CA_BUNDLE + + + def get_cert_path(verify): diff --git a/srcpkgs/python3-botocore/template b/srcpkgs/python3-botocore/template index 538c25ed82e5..6a4b16aa7cd4 100644 --- a/srcpkgs/python3-botocore/template +++ b/srcpkgs/python3-botocore/template @@ -1,7 +1,7 @@ # Template file for 'python3-botocore' pkgname=python3-botocore version=1.24.33 -revision=2 +revision=3 build_style=python3-module # integration tests want aws credentials make_check_target="tests/functional tests/unit" @@ -15,6 +15,7 @@ homepage="https://github.com/boto/botocore" distfiles="https://github.com/boto/botocore/archive/${version}.tar.gz" checksum=df97ad5dd13847d2684597798214bc35603c1bd9df7fef04ba5d583cb4229629 -pre_check() { +post_extract() { + rm -f botocore/cacert.pem rm -r tests/functional/leak # these 6 tests fail, probably fixable } From 64dc38019d639f91b40504dc3bb31533b7490cdc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?= Date: Thu, 9 Mar 2023 11:08:30 +0700 Subject: [PATCH 5/7] python3-pipenv: use system CA Cert --- .../patches/system-cacert.patch | 42 +++++++++++++++++++ srcpkgs/python3-pipenv/template | 6 ++- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 srcpkgs/python3-pipenv/patches/system-cacert.patch diff --git a/srcpkgs/python3-pipenv/patches/system-cacert.patch b/srcpkgs/python3-pipenv/patches/system-cacert.patch new file mode 100644 index 000000000000..58a5d4c830e9 --- /dev/null +++ b/srcpkgs/python3-pipenv/patches/system-cacert.patch @@ -0,0 +1,42 @@ +--- a/pipenv/patched/pip/_vendor/certifi/core.py ++++ b/pipenv/patched/pip/_vendor/certifi/core.py +@@ -10,36 +10,15 @@ import sys + if sys.version_info >= (3, 11): + + from importlib.resources import as_file, files ++ from pathlib import Path + +- _CACERT_CTX = None +- _CACERT_PATH = None ++ _CACERT_PATH = '/etc/ssl/certs.pem' + + def where() -> str: +- # This is slightly terrible, but we want to delay extracting the file +- # in cases where we're inside of a zipimport situation until someone +- # actually calls where(), but we don't want to re-extract the file +- # on every call of where(), so we'll do it once then store it in a +- # global variable. +- global _CACERT_CTX +- global _CACERT_PATH +- if _CACERT_PATH is None: +- # This is slightly janky, the importlib.resources API wants you to +- # manage the cleanup of this file, so it doesn't actually return a +- # path, it returns a context manager that will give you the path +- # when you enter it and will do any cleanup when you leave it. In +- # the common case of not needing a temporary file, it will just +- # return the file system location and the __exit__() is a no-op. +- # +- # We also have to hold onto the actual context manager, because +- # it will do the cleanup whenever it gets garbage collected, so +- # we will also store that at the global level as well. +- _CACERT_CTX = as_file(files("pipenv.patched.pip._vendor.certifi").joinpath("cacert.pem")) +- _CACERT_PATH = str(_CACERT_CTX.__enter__()) +- + return _CACERT_PATH + + def contents() -> str: +- return files("pipenv.patched.pip._vendor.certifi").joinpath("cacert.pem").read_text(encoding="ascii") ++ return Path(_CACERT_PATH).read_text(encoding="ascii") + + elif sys.version_info >= (3, 7): + diff --git a/srcpkgs/python3-pipenv/template b/srcpkgs/python3-pipenv/template index c619da985ef8..5eeebb44f11a 100644 --- a/srcpkgs/python3-pipenv/template +++ b/srcpkgs/python3-pipenv/template @@ -1,7 +1,7 @@ # Template file for 'python3-pipenv' pkgname=python3-pipenv version=2023.2.4 -revision=1 +revision=2 build_style=python3-pep517 hostmakedepends="python3-wheel" depends="python3 python3-pip python3-virtualenv python3-virtualenv-clone" @@ -15,6 +15,10 @@ checksum=18a3eba519e36d59f0d5a7f9c42bd268521e4b9b7b3d1bd6adcf131569323275 conflicts="python-pipenv>=0" make_check=no # tests are not contained in release tarball +post_extract() { + rm -f pipenv/patched/pip/_vendor/certifi/cacert.pem +} + post_install() { vlicense LICENSE } From fc49224a05f947c666f00f65f65d13e77685d304 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?= Date: Thu, 9 Mar 2023 11:44:47 +0700 Subject: [PATCH 6/7] perl-Mozilla-CA: use system CA Cert --- srcpkgs/perl-Mozilla-CA/template | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/srcpkgs/perl-Mozilla-CA/template b/srcpkgs/perl-Mozilla-CA/template index 0ca3767f30f9..12db786b49ed 100644 --- a/srcpkgs/perl-Mozilla-CA/template +++ b/srcpkgs/perl-Mozilla-CA/template @@ -1,7 +1,7 @@ # Template file for 'perl-Mozilla-CA' pkgname=perl-Mozilla-CA version=20221114 -revision=1 +revision=2 build_style=perl-module hostmakedepends="perl" makedepends="${hostmakedepends}" @@ -12,3 +12,9 @@ license="MPL-2.0" homepage="https://metacpan.org/release/Mozilla-CA" distfiles="${CPAN_SITE}/Mozilla/${pkgname/perl-/}-$version.tar.gz" checksum=701bea67be670add5a102f9f8c879402b4983096b1cb0e20dd47d52d7a10666b + +post_install() { + rm -f "${DESTDIR}/usr/share/perl5/vendor_perl/Mozilla/CA/cacert.pem" + ln -sf /etc/ssl/certs.pem \ + "${DESTDIR}/usr/share/perl5/vendor_perl/Mozilla/CA/cacert.pem" +} From 7ef81b547808c1b7dcfa4c073ba28e06a059ac82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?= Date: Thu, 9 Mar 2023 11:59:38 +0700 Subject: [PATCH 7/7] pex: use system CA Cert --- srcpkgs/pex/template | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/srcpkgs/pex/template b/srcpkgs/pex/template index 359f9d4c53d4..69b7de345edd 100644 --- a/srcpkgs/pex/template +++ b/srcpkgs/pex/template @@ -1,7 +1,7 @@ # Template file for 'pex' pkgname=pex version=2.1.126 -revision=1 +revision=2 build_style=python3-pep517 hostmakedepends="python3-flit_core python3-Sphinx" depends="python3" @@ -13,6 +13,29 @@ changelog="https://raw.githubusercontent.com/pantsbuild/pex/main/CHANGES.rst" distfiles="${PYPI_SITE}/p/pex/pex-${version}.tar.gz" checksum=3fcd6cf993815f2a2ad1d826ea194e35bca3c82f485f9886e9e681e400566b15 +post_extract() { + rm -f pex/vendor/_vendored/pip/pip/_vendor/certifi/cacert.pem + cat <<-EOF >pex/vendor/_vendored/pip/pip/_vendor/certifi/core.py + # -*- coding: utf-8 -*- + """ + certifi.py + ~~~~~~~~~~ + + This module returns the installation location of cacert.pem or its contents. + """ + import os + from pathlib import Path + + _CACERT_PATH = '/etc/ssl/certs.pem' + + def where(): + return _CACERT_PATH + + def contents(): + return Path(_CACERT_PATH).read_text(encoding="ascii") + EOF +} + post_build() { PYTHONPATH="$PWD" make -C docs man }