diff --git a/pkgs/development/python-modules/requests/0001-Prefer-NixOS-Nix-default-CA-bundles-over-certifi.patch b/pkgs/development/python-modules/requests/0001-Prefer-NixOS-Nix-default-CA-bundles-over-certifi.patch new file mode 100644 index 0000000000000..de6a4b5c1b575 --- /dev/null +++ b/pkgs/development/python-modules/requests/0001-Prefer-NixOS-Nix-default-CA-bundles-over-certifi.patch @@ -0,0 +1,60 @@ +From b36083efafec5a3c1c5864cd0b62367ddf3856ae Mon Sep 17 00:00:00 2001 +From: Keshav Kini +Date: Sun, 16 May 2021 20:35:24 -0700 +Subject: [PATCH] Prefer NixOS/Nix default CA bundles over certifi + +Normally, requests gets its default CA bundle from the certifi +package. On NixOS and when using Nix on non-NixOS platforms, we would +rather default to using our own certificate bundles controlled by the +Nix/NixOS user. + +This commit overrides requests.certs.where(), which previously was +just aliased to certifi.where(), so that now it does the following: + +- When run by Nix on non-NixOS, the environment variable + $NIX_SSL_CERT_FILE will point to the CA bundle we're using, so we + use that. + +- When running on NixOS, the CA bundle we're using has the static path + /etc/ssl/certs/ca-certificates.crt , so we use that. + +- Otherwise, we fall back to the original behavior of using certifi's + CA bundle. Higher in the call stack, users of requests can also + explicitly specify a CA bundle to use, which overrides all this + logic. +--- + requests/certs.py | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/requests/certs.py b/requests/certs.py +index d1a378d7..faf462b7 100644 +--- a/requests/certs.py ++++ b/requests/certs.py +@@ -12,7 +12,23 @@ If you are packaging Requests, e.g., for a Linux distribution or a managed + environment, you can change the definition of where() to return a separately + packaged CA bundle. + """ +-from certifi import where ++ ++import os ++ ++import certifi ++ ++ ++def where(): ++ nix_ssl_cert_file = os.getenv("NIX_SSL_CERT_FILE") ++ if nix_ssl_cert_file and os.path.exists(nix_ssl_cert_file): ++ return nix_ssl_cert_file ++ ++ nixos_ca_bundle = "/etc/ssl/certs/ca-certificates.crt" ++ if os.path.exists(nixos_ca_bundle): ++ return nixos_ca_bundle ++ ++ return certifi.where() ++ + + if __name__ == '__main__': + print(where()) +-- +2.31.1 + diff --git a/pkgs/development/python-modules/requests/default.nix b/pkgs/development/python-modules/requests/default.nix index 72feafc771e87..8b5514f639367 100644 --- a/pkgs/development/python-modules/requests/default.nix +++ b/pkgs/development/python-modules/requests/default.nix @@ -20,6 +20,8 @@ buildPythonPackage rec { sha256 = "sha256-J5c91KkEpPE7JjoZyGbBO5KjntHJZGVfAl8/jT11uAQ="; }; + patches = [ ./0001-Prefer-NixOS-Nix-default-CA-bundles-over-certifi.patch ]; + postPatch = '' # Use latest idna substituteInPlace setup.py --replace ",<3" ""