upgpkg: python-httpx 0.13.3-5: don't let certifi be used -- FS#67260

git-svn-id: file:///srv/repos/svn-community/svn@663435 9fca08f4-af9d-4005-b8df-a31f2cc04f65

3 files changed, 102 insertions, 7 deletions

diff --git a/.SRCINFO b/.SRCINFO
index fe37e506a06a..3cbb09e79e04 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 pkgbase = python-httpx
 	pkgdesc = A next generation HTTP client for Python
 	pkgver = 0.13.3
-	pkgrel = 4
+	pkgrel = 5
 	url = https://github.com/encode/httpx
 	arch = any
 	license = BSD
@@ -11,7 +11,6 @@ pkgbase = python-httpx
 	checkdepends = python-trustme
 	checkdepends = uvicorn
 	makedepends = python-setuptools
-	depends = python-certifi
 	depends = python-chardet
 	depends = python-hstspreload
 	depends = python-httpcore
@@ -20,7 +19,10 @@ pkgbase = python-httpx
 	depends = python-sniffio
 	optdepends = python-brotli: for brotli response decompression
 	source = python-httpx-0.13.3.tar.gz::https://github.com/encode/httpx/archive/0.13.3.tar.gz
+	source = 0001-Do-not-override-the-system-SSL-certificates-with-the.patch
 	sha512sums = 54cdee16e8253c221c3298817ccf63a4a0d6755a86feea2aa5a2efe9af44eb1eb0a578b21f593fe28fceace17b0a0badb52a66965c35bf456ea57dd3b905ebbe
+	sha512sums = 9affdf1c41fc9660b0374d2adae8115aa01e31fa13d396a682593ff24248bf4b70fa1266d01a95281fab760265292c0d97f329f71b00e723ad71ae809c4e6235
 	b2sums = d3a56c2386841909668e34eaa78d202f91ad900230b9d1d4254bfa08312312d020e081aea2839dbb57d85fa26ccfc3f093404801c4dd5c47051f3c9fd2746552
+	b2sums = b96027d611901e65f90969f796c244acb8605243e2fd23eb2ea946b895464e6e89a39c9886de479f8561a4d55154e2a80dc21f6f29c201a36f7ca429c6962f9f
 
 pkgname = python-httpx
diff --git a/0001-Do-not-override-the-system-SSL-certificates-with-the.patch b/0001-Do-not-override-the-system-SSL-certificates-with-the.patch
new file mode 100644
index 000000000000..168a99947941
--- /dev/null
+++ b/0001-Do-not-override-the-system-SSL-certificates-with-the.patch
@@ -0,0 +1,87 @@
+From b3d83c15c366747bf84772311eecad29e1413cb5 Mon Sep 17 00:00:00 2001
+From: Eli Schwartz <eschwartz@archlinux.org>
+Date: Mon, 13 Jul 2020 11:29:54 -0400
+Subject: [PATCH] Do not override the system SSL certificates with the certifi
+ bundle.
+
+We need to respect the system certification policy, and by default the
+ssl module will use our packaged ca-certificates.
+
+ssl.create_default_context(cafile=None) is the default to use the
+builtin (system) certs, but due to the sorcery which this module uses to
+check how arguments are being passed, it's less invasive to simply
+hardcode the standard certificate path instead of letting python
+properly handle it.
+---
+ httpx/_config.py     | 4 +---
+ setup.py             | 1 -
+ tests/test_config.py | 5 ++---
+ 3 files changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/httpx/_config.py b/httpx/_config.py
+index 3785af9..d6aecf3 100644
+--- a/httpx/_config.py
++++ b/httpx/_config.py
+@@ -4,8 +4,6 @@ import typing
+ from base64 import b64encode
+ from pathlib import Path
+ 
+-import certifi
+-
+ from ._models import URL, Headers
+ from ._types import CertTypes, HeaderTypes, TimeoutTypes, URLTypes, VerifyTypes
+ from ._utils import get_ca_bundle_from_env, get_logger, warn_deprecated
+@@ -45,7 +43,7 @@ class SSLConfig:
+     SSL Configuration.
+     """
+ 
+-    DEFAULT_CA_BUNDLE_PATH = Path(certifi.where())
++    DEFAULT_CA_BUNDLE_PATH = Path("/etc/ssl/certs/ca-certificates.crt")
+ 
+     def __init__(
+         self,
+diff --git a/setup.py b/setup.py
+index cc62169..e6fe71a 100644
+--- a/setup.py
++++ b/setup.py
+@@ -55,7 +55,6 @@ setup(
+     include_package_data=True,
+     zip_safe=False,
+     install_requires=[
+-        "certifi",
+         "hstspreload",
+         "sniffio",
+         "chardet==3.*",
+diff --git a/tests/test_config.py b/tests/test_config.py
+index 41d8191..286da00 100644
+--- a/tests/test_config.py
++++ b/tests/test_config.py
+@@ -4,7 +4,6 @@ import ssl
+ import sys
+ from pathlib import Path
+ 
+-import certifi
+ import pytest
+ 
+ import httpx
+@@ -24,7 +23,7 @@ def test_load_ssl_config_verify_non_existing_path():
+ 
+ 
+ def test_load_ssl_config_verify_existing_file():
+-    ssl_config = SSLConfig(verify=certifi.where())
++    ssl_config = SSLConfig(verify="/etc/ssl/certs/ca-certificates.crt")
+     context = ssl_config.ssl_context
+     assert context.verify_mode == ssl.VerifyMode.CERT_REQUIRED
+     assert context.check_hostname is True
+@@ -55,7 +54,7 @@ def test_load_ssl_config_verify_env_file(https_server, ca_cert_pem_file, config)
+ 
+ 
+ def test_load_ssl_config_verify_directory():
+-    path = Path(certifi.where()).parent
++    path = Path("/etc/ssl/certs/ca-certificates.crt").parent
+     ssl_config = SSLConfig(verify=path)
+     context = ssl_config.ssl_context
+     assert context.verify_mode == ssl.VerifyMode.CERT_REQUIRED
+-- 
+2.27.0
+
diff --git a/PKGBUILD b/PKGBUILD
index ec4efde468e2..ea13cb109b67 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -3,24 +3,30 @@
 _pkgname=httpx
 pkgname=python-httpx
 pkgver=0.13.3
-pkgrel=4
+pkgrel=5
 pkgdesc="A next generation HTTP client for Python"
 arch=('any')
 url="https://github.com/encode/${_pkgname}"
 license=('BSD')
-depends=('python-certifi' 'python-chardet' 'python-hstspreload' 'python-httpcore' 'python-idna' 'python-rfc3986' 'python-sniffio')
+depends=('python-chardet' 'python-hstspreload' 'python-httpcore' 'python-idna' 'python-rfc3986' 'python-sniffio')
 optdepends=('python-brotli: for brotli response decompression')
 makedepends=('python-setuptools')
 checkdepends=('python-pytest-asyncio' 'python-pytest-trio' 'python-brotli' 'python-trustme' 'uvicorn')
-source=("${pkgname}-${pkgver}.tar.gz::${url}/archive/${pkgver}.tar.gz")
-sha512sums=('54cdee16e8253c221c3298817ccf63a4a0d6755a86feea2aa5a2efe9af44eb1eb0a578b21f593fe28fceace17b0a0badb52a66965c35bf456ea57dd3b905ebbe')
-b2sums=('d3a56c2386841909668e34eaa78d202f91ad900230b9d1d4254bfa08312312d020e081aea2839dbb57d85fa26ccfc3f093404801c4dd5c47051f3c9fd2746552')
+source=("${pkgname}-${pkgver}.tar.gz::${url}/archive/${pkgver}.tar.gz"
+        "0001-Do-not-override-the-system-SSL-certificates-with-the.patch")
+sha512sums=('54cdee16e8253c221c3298817ccf63a4a0d6755a86feea2aa5a2efe9af44eb1eb0a578b21f593fe28fceace17b0a0badb52a66965c35bf456ea57dd3b905ebbe'
+            '9affdf1c41fc9660b0374d2adae8115aa01e31fa13d396a682593ff24248bf4b70fa1266d01a95281fab760265292c0d97f329f71b00e723ad71ae809c4e6235')
+b2sums=('d3a56c2386841909668e34eaa78d202f91ad900230b9d1d4254bfa08312312d020e081aea2839dbb57d85fa26ccfc3f093404801c4dd5c47051f3c9fd2746552'
+        'b96027d611901e65f90969f796c244acb8605243e2fd23eb2ea946b895464e6e89a39c9886de479f8561a4d55154e2a80dc21f6f29c201a36f7ca429c6962f9f')
 
 prepare() {
     cd "${srcdir}"/${_pkgname}-${pkgver}
 
     # do not run coverage in unittests!
     sed -i '/^addopts/d' setup.cfg
+
+    # bad certifi
+    patch -p1 -i ../0001-Do-not-override-the-system-SSL-certificates-with-the.patch
 }
 
 build() {