[arch-commits] Commit in python-httpx/trunk (2 files)
Eli Schwartz
eschwartz at archlinux.org
Mon Jul 13 16:42:54 UTC 2020
Date: Monday, July 13, 2020 @ 16:42:53
Author: eschwartz
Revision: 663435
upgpkg: python-httpx 0.13.3-5: don't let certifi be used -- FS#67260
Added:
python-httpx/trunk/0001-Do-not-override-the-system-SSL-certificates-with-the.patch
Modified:
python-httpx/trunk/PKGBUILD
-----------------------------------------------------------------+
0001-Do-not-override-the-system-SSL-certificates-with-the.patch | 87 ++++++++++
PKGBUILD | 16 +
2 files changed, 98 insertions(+), 5 deletions(-)
Added: 0001-Do-not-override-the-system-SSL-certificates-with-the.patch
===================================================================
--- 0001-Do-not-override-the-system-SSL-certificates-with-the.patch (rev 0)
+++ 0001-Do-not-override-the-system-SSL-certificates-with-the.patch 2020-07-13 16:42:53 UTC (rev 663435)
@@ -0,0 +1,87 @@
+From b3d83c15c366747bf84772311eecad29e1413cb5 Mon Sep 17 00:00:00 2001
+From: Eli Schwartz <eschwartz at archlinux.org>
+Date: Mon, 13 Jul 2020 11:29:54 -0400
+Subject: [PATCH] Do not override the system SSL certificates with the certifi
+ bundle.
+
+We need to respect the system certification policy, and by default the
+ssl module will use our packaged ca-certificates.
+
+ssl.create_default_context(cafile=None) is the default to use the
+builtin (system) certs, but due to the sorcery which this module uses to
+check how arguments are being passed, it's less invasive to simply
+hardcode the standard certificate path instead of letting python
+properly handle it.
+---
+ httpx/_config.py | 4 +---
+ setup.py | 1 -
+ tests/test_config.py | 5 ++---
+ 3 files changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/httpx/_config.py b/httpx/_config.py
+index 3785af9..d6aecf3 100644
+--- a/httpx/_config.py
++++ b/httpx/_config.py
+@@ -4,8 +4,6 @@ import typing
+ from base64 import b64encode
+ from pathlib import Path
+
+-import certifi
+-
+ from ._models import URL, Headers
+ from ._types import CertTypes, HeaderTypes, TimeoutTypes, URLTypes, VerifyTypes
+ from ._utils import get_ca_bundle_from_env, get_logger, warn_deprecated
+@@ -45,7 +43,7 @@ class SSLConfig:
+ SSL Configuration.
+ """
+
+- DEFAULT_CA_BUNDLE_PATH = Path(certifi.where())
++ DEFAULT_CA_BUNDLE_PATH = Path("/etc/ssl/certs/ca-certificates.crt")
+
+ def __init__(
+ self,
+diff --git a/setup.py b/setup.py
+index cc62169..e6fe71a 100644
+--- a/setup.py
++++ b/setup.py
+@@ -55,7 +55,6 @@ setup(
+ include_package_data=True,
+ zip_safe=False,
+ install_requires=[
+- "certifi",
+ "hstspreload",
+ "sniffio",
+ "chardet==3.*",
+diff --git a/tests/test_config.py b/tests/test_config.py
+index 41d8191..286da00 100644
+--- a/tests/test_config.py
++++ b/tests/test_config.py
+@@ -4,7 +4,6 @@ import ssl
+ import sys
+ from pathlib import Path
+
+-import certifi
+ import pytest
+
+ import httpx
+@@ -24,7 +23,7 @@ def test_load_ssl_config_verify_non_existing_path():
+
+
+ def test_load_ssl_config_verify_existing_file():
+- ssl_config = SSLConfig(verify=certifi.where())
++ ssl_config = SSLConfig(verify="/etc/ssl/certs/ca-certificates.crt")
+ context = ssl_config.ssl_context
+ assert context.verify_mode == ssl.VerifyMode.CERT_REQUIRED
+ assert context.check_hostname is True
+@@ -55,7 +54,7 @@ def test_load_ssl_config_verify_env_file(https_server, ca_cert_pem_file, config)
+
+
+ def test_load_ssl_config_verify_directory():
+- path = Path(certifi.where()).parent
++ path = Path("/etc/ssl/certs/ca-certificates.crt").parent
+ ssl_config = SSLConfig(verify=path)
+ context = ssl_config.ssl_context
+ assert context.verify_mode == ssl.VerifyMode.CERT_REQUIRED
+--
+2.27.0
+
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2020-07-13 16:42:44 UTC (rev 663434)
+++ PKGBUILD 2020-07-13 16:42:53 UTC (rev 663435)
@@ -3,18 +3,21 @@
_pkgname=httpx
pkgname=python-httpx
pkgver=0.13.3
-pkgrel=4
+pkgrel=5
pkgdesc="A next generation HTTP client for Python"
arch=('any')
url="https://github.com/encode/${_pkgname}"
license=('BSD')
-depends=('python-certifi' 'python-chardet' 'python-hstspreload' 'python-httpcore' 'python-idna' 'python-rfc3986' 'python-sniffio')
+depends=('python-chardet' 'python-hstspreload' 'python-httpcore' 'python-idna' 'python-rfc3986' 'python-sniffio')
optdepends=('python-brotli: for brotli response decompression')
makedepends=('python-setuptools')
checkdepends=('python-pytest-asyncio' 'python-pytest-trio' 'python-brotli' 'python-trustme' 'uvicorn')
-source=("${pkgname}-${pkgver}.tar.gz::${url}/archive/${pkgver}.tar.gz")
-sha512sums=('54cdee16e8253c221c3298817ccf63a4a0d6755a86feea2aa5a2efe9af44eb1eb0a578b21f593fe28fceace17b0a0badb52a66965c35bf456ea57dd3b905ebbe')
-b2sums=('d3a56c2386841909668e34eaa78d202f91ad900230b9d1d4254bfa08312312d020e081aea2839dbb57d85fa26ccfc3f093404801c4dd5c47051f3c9fd2746552')
+source=("${pkgname}-${pkgver}.tar.gz::${url}/archive/${pkgver}.tar.gz"
+ "0001-Do-not-override-the-system-SSL-certificates-with-the.patch")
+sha512sums=('54cdee16e8253c221c3298817ccf63a4a0d6755a86feea2aa5a2efe9af44eb1eb0a578b21f593fe28fceace17b0a0badb52a66965c35bf456ea57dd3b905ebbe'
+ '9affdf1c41fc9660b0374d2adae8115aa01e31fa13d396a682593ff24248bf4b70fa1266d01a95281fab760265292c0d97f329f71b00e723ad71ae809c4e6235')
+b2sums=('d3a56c2386841909668e34eaa78d202f91ad900230b9d1d4254bfa08312312d020e081aea2839dbb57d85fa26ccfc3f093404801c4dd5c47051f3c9fd2746552'
+ 'b96027d611901e65f90969f796c244acb8605243e2fd23eb2ea946b895464e6e89a39c9886de479f8561a4d55154e2a80dc21f6f29c201a36f7ca429c6962f9f')
prepare() {
cd "${srcdir}"/${_pkgname}-${pkgver}
@@ -21,6 +24,9 @@
# do not run coverage in unittests!
sed -i '/^addopts/d' setup.cfg
+
+ # bad certifi
+ patch -p1 -i ../0001-Do-not-override-the-system-SSL-certificates-with-the.patch
}
build() {
More information about the arch-commits
mailing list