[arch-commits] Commit in python-httpx/trunk (2 files)

Eli Schwartz eschwartz at archlinux.org
Mon Jul 13 16:42:54 UTC 2020


    Date: Monday, July 13, 2020 @ 16:42:53
  Author: eschwartz
Revision: 663435

upgpkg: python-httpx 0.13.3-5: don't let certifi be used -- FS#67260

Added:
  python-httpx/trunk/0001-Do-not-override-the-system-SSL-certificates-with-the.patch
Modified:
  python-httpx/trunk/PKGBUILD

-----------------------------------------------------------------+
 0001-Do-not-override-the-system-SSL-certificates-with-the.patch |   87 ++++++++++
 PKGBUILD                                                        |   16 +
 2 files changed, 98 insertions(+), 5 deletions(-)

Added: 0001-Do-not-override-the-system-SSL-certificates-with-the.patch
===================================================================
--- 0001-Do-not-override-the-system-SSL-certificates-with-the.patch	                        (rev 0)
+++ 0001-Do-not-override-the-system-SSL-certificates-with-the.patch	2020-07-13 16:42:53 UTC (rev 663435)
@@ -0,0 +1,87 @@
+From b3d83c15c366747bf84772311eecad29e1413cb5 Mon Sep 17 00:00:00 2001
+From: Eli Schwartz <eschwartz at archlinux.org>
+Date: Mon, 13 Jul 2020 11:29:54 -0400
+Subject: [PATCH] Do not override the system SSL certificates with the certifi
+ bundle.
+
+We need to respect the system certification policy, and by default the
+ssl module will use our packaged ca-certificates.
+
+ssl.create_default_context(cafile=None) is the default to use the
+builtin (system) certs, but due to the sorcery which this module uses to
+check how arguments are being passed, it's less invasive to simply
+hardcode the standard certificate path instead of letting python
+properly handle it.
+---
+ httpx/_config.py     | 4 +---
+ setup.py             | 1 -
+ tests/test_config.py | 5 ++---
+ 3 files changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/httpx/_config.py b/httpx/_config.py
+index 3785af9..d6aecf3 100644
+--- a/httpx/_config.py
++++ b/httpx/_config.py
+@@ -4,8 +4,6 @@ import typing
+ from base64 import b64encode
+ from pathlib import Path
+ 
+-import certifi
+-
+ from ._models import URL, Headers
+ from ._types import CertTypes, HeaderTypes, TimeoutTypes, URLTypes, VerifyTypes
+ from ._utils import get_ca_bundle_from_env, get_logger, warn_deprecated
+@@ -45,7 +43,7 @@ class SSLConfig:
+     SSL Configuration.
+     """
+ 
+-    DEFAULT_CA_BUNDLE_PATH = Path(certifi.where())
++    DEFAULT_CA_BUNDLE_PATH = Path("/etc/ssl/certs/ca-certificates.crt")
+ 
+     def __init__(
+         self,
+diff --git a/setup.py b/setup.py
+index cc62169..e6fe71a 100644
+--- a/setup.py
++++ b/setup.py
+@@ -55,7 +55,6 @@ setup(
+     include_package_data=True,
+     zip_safe=False,
+     install_requires=[
+-        "certifi",
+         "hstspreload",
+         "sniffio",
+         "chardet==3.*",
+diff --git a/tests/test_config.py b/tests/test_config.py
+index 41d8191..286da00 100644
+--- a/tests/test_config.py
++++ b/tests/test_config.py
+@@ -4,7 +4,6 @@ import ssl
+ import sys
+ from pathlib import Path
+ 
+-import certifi
+ import pytest
+ 
+ import httpx
+@@ -24,7 +23,7 @@ def test_load_ssl_config_verify_non_existing_path():
+ 
+ 
+ def test_load_ssl_config_verify_existing_file():
+-    ssl_config = SSLConfig(verify=certifi.where())
++    ssl_config = SSLConfig(verify="/etc/ssl/certs/ca-certificates.crt")
+     context = ssl_config.ssl_context
+     assert context.verify_mode == ssl.VerifyMode.CERT_REQUIRED
+     assert context.check_hostname is True
+@@ -55,7 +54,7 @@ def test_load_ssl_config_verify_env_file(https_server, ca_cert_pem_file, config)
+ 
+ 
+ def test_load_ssl_config_verify_directory():
+-    path = Path(certifi.where()).parent
++    path = Path("/etc/ssl/certs/ca-certificates.crt").parent
+     ssl_config = SSLConfig(verify=path)
+     context = ssl_config.ssl_context
+     assert context.verify_mode == ssl.VerifyMode.CERT_REQUIRED
+-- 
+2.27.0
+

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2020-07-13 16:42:44 UTC (rev 663434)
+++ PKGBUILD	2020-07-13 16:42:53 UTC (rev 663435)
@@ -3,18 +3,21 @@
 _pkgname=httpx
 pkgname=python-httpx
 pkgver=0.13.3
-pkgrel=4
+pkgrel=5
 pkgdesc="A next generation HTTP client for Python"
 arch=('any')
 url="https://github.com/encode/${_pkgname}"
 license=('BSD')
-depends=('python-certifi' 'python-chardet' 'python-hstspreload' 'python-httpcore' 'python-idna' 'python-rfc3986' 'python-sniffio')
+depends=('python-chardet' 'python-hstspreload' 'python-httpcore' 'python-idna' 'python-rfc3986' 'python-sniffio')
 optdepends=('python-brotli: for brotli response decompression')
 makedepends=('python-setuptools')
 checkdepends=('python-pytest-asyncio' 'python-pytest-trio' 'python-brotli' 'python-trustme' 'uvicorn')
-source=("${pkgname}-${pkgver}.tar.gz::${url}/archive/${pkgver}.tar.gz")
-sha512sums=('54cdee16e8253c221c3298817ccf63a4a0d6755a86feea2aa5a2efe9af44eb1eb0a578b21f593fe28fceace17b0a0badb52a66965c35bf456ea57dd3b905ebbe')
-b2sums=('d3a56c2386841909668e34eaa78d202f91ad900230b9d1d4254bfa08312312d020e081aea2839dbb57d85fa26ccfc3f093404801c4dd5c47051f3c9fd2746552')
+source=("${pkgname}-${pkgver}.tar.gz::${url}/archive/${pkgver}.tar.gz"
+        "0001-Do-not-override-the-system-SSL-certificates-with-the.patch")
+sha512sums=('54cdee16e8253c221c3298817ccf63a4a0d6755a86feea2aa5a2efe9af44eb1eb0a578b21f593fe28fceace17b0a0badb52a66965c35bf456ea57dd3b905ebbe'
+            '9affdf1c41fc9660b0374d2adae8115aa01e31fa13d396a682593ff24248bf4b70fa1266d01a95281fab760265292c0d97f329f71b00e723ad71ae809c4e6235')
+b2sums=('d3a56c2386841909668e34eaa78d202f91ad900230b9d1d4254bfa08312312d020e081aea2839dbb57d85fa26ccfc3f093404801c4dd5c47051f3c9fd2746552'
+        'b96027d611901e65f90969f796c244acb8605243e2fd23eb2ea946b895464e6e89a39c9886de479f8561a4d55154e2a80dc21f6f29c201a36f7ca429c6962f9f')
 
 prepare() {
     cd "${srcdir}"/${_pkgname}-${pkgver}
@@ -21,6 +24,9 @@
 
     # do not run coverage in unittests!
     sed -i '/^addopts/d' setup.cfg
+
+    # bad certifi
+    patch -p1 -i ../0001-Do-not-override-the-system-SSL-certificates-with-the.patch
 }
 
 build() {



More information about the arch-commits mailing list