diff options
author | eschwartz | 2020-07-13 16:42:53 +0000 |
---|---|---|
committer | Jakob Gahde | 2022-01-05 11:49:48 +0100 |
commit | ff90dd5c2e5c16f896a7247fa23041b960705647 (patch) | |
tree | 4a493afc4324245c5f6f2230ebda6490756727f2 | |
parent | 060dca6f0e8d736bfb902b0b52b3cdab11486b2c (diff) | |
download | aur-ff90dd5c2e5c16f896a7247fa23041b960705647.tar.gz |
upgpkg: python-httpx 0.13.3-5: don't let certifi be used -- FS#67260
git-svn-id: file:///srv/repos/svn-community/svn@663435 9fca08f4-af9d-4005-b8df-a31f2cc04f65
-rw-r--r-- | .SRCINFO | 6 | ||||
-rw-r--r-- | 0001-Do-not-override-the-system-SSL-certificates-with-the.patch | 87 | ||||
-rw-r--r-- | PKGBUILD | 16 |
3 files changed, 102 insertions, 7 deletions
@@ -1,7 +1,7 @@ pkgbase = python-httpx pkgdesc = A next generation HTTP client for Python pkgver = 0.13.3 - pkgrel = 4 + pkgrel = 5 url = https://github.com/encode/httpx arch = any license = BSD @@ -11,7 +11,6 @@ pkgbase = python-httpx checkdepends = python-trustme checkdepends = uvicorn makedepends = python-setuptools - depends = python-certifi depends = python-chardet depends = python-hstspreload depends = python-httpcore @@ -20,7 +19,10 @@ pkgbase = python-httpx depends = python-sniffio optdepends = python-brotli: for brotli response decompression source = python-httpx-0.13.3.tar.gz::https://github.com/encode/httpx/archive/0.13.3.tar.gz + source = 0001-Do-not-override-the-system-SSL-certificates-with-the.patch sha512sums = 54cdee16e8253c221c3298817ccf63a4a0d6755a86feea2aa5a2efe9af44eb1eb0a578b21f593fe28fceace17b0a0badb52a66965c35bf456ea57dd3b905ebbe + sha512sums = 9affdf1c41fc9660b0374d2adae8115aa01e31fa13d396a682593ff24248bf4b70fa1266d01a95281fab760265292c0d97f329f71b00e723ad71ae809c4e6235 b2sums = d3a56c2386841909668e34eaa78d202f91ad900230b9d1d4254bfa08312312d020e081aea2839dbb57d85fa26ccfc3f093404801c4dd5c47051f3c9fd2746552 + b2sums = b96027d611901e65f90969f796c244acb8605243e2fd23eb2ea946b895464e6e89a39c9886de479f8561a4d55154e2a80dc21f6f29c201a36f7ca429c6962f9f pkgname = python-httpx diff --git a/0001-Do-not-override-the-system-SSL-certificates-with-the.patch b/0001-Do-not-override-the-system-SSL-certificates-with-the.patch new file mode 100644 index 000000000000..168a99947941 --- /dev/null +++ b/0001-Do-not-override-the-system-SSL-certificates-with-the.patch @@ -0,0 +1,87 @@ +From b3d83c15c366747bf84772311eecad29e1413cb5 Mon Sep 17 00:00:00 2001 +From: Eli Schwartz <eschwartz@archlinux.org> +Date: Mon, 13 Jul 2020 11:29:54 -0400 +Subject: [PATCH] Do not override the system SSL certificates with the certifi + bundle. + +We need to respect the system certification policy, and by default the +ssl module will use our packaged ca-certificates. + +ssl.create_default_context(cafile=None) is the default to use the +builtin (system) certs, but due to the sorcery which this module uses to +check how arguments are being passed, it's less invasive to simply +hardcode the standard certificate path instead of letting python +properly handle it. +--- + httpx/_config.py | 4 +--- + setup.py | 1 - + tests/test_config.py | 5 ++--- + 3 files changed, 3 insertions(+), 7 deletions(-) + +diff --git a/httpx/_config.py b/httpx/_config.py +index 3785af9..d6aecf3 100644 +--- a/httpx/_config.py ++++ b/httpx/_config.py +@@ -4,8 +4,6 @@ import typing + from base64 import b64encode + from pathlib import Path + +-import certifi +- + from ._models import URL, Headers + from ._types import CertTypes, HeaderTypes, TimeoutTypes, URLTypes, VerifyTypes + from ._utils import get_ca_bundle_from_env, get_logger, warn_deprecated +@@ -45,7 +43,7 @@ class SSLConfig: + SSL Configuration. + """ + +- DEFAULT_CA_BUNDLE_PATH = Path(certifi.where()) ++ DEFAULT_CA_BUNDLE_PATH = Path("/etc/ssl/certs/ca-certificates.crt") + + def __init__( + self, +diff --git a/setup.py b/setup.py +index cc62169..e6fe71a 100644 +--- a/setup.py ++++ b/setup.py +@@ -55,7 +55,6 @@ setup( + include_package_data=True, + zip_safe=False, + install_requires=[ +- "certifi", + "hstspreload", + "sniffio", + "chardet==3.*", +diff --git a/tests/test_config.py b/tests/test_config.py +index 41d8191..286da00 100644 +--- a/tests/test_config.py ++++ b/tests/test_config.py +@@ -4,7 +4,6 @@ import ssl + import sys + from pathlib import Path + +-import certifi + import pytest + + import httpx +@@ -24,7 +23,7 @@ def test_load_ssl_config_verify_non_existing_path(): + + + def test_load_ssl_config_verify_existing_file(): +- ssl_config = SSLConfig(verify=certifi.where()) ++ ssl_config = SSLConfig(verify="/etc/ssl/certs/ca-certificates.crt") + context = ssl_config.ssl_context + assert context.verify_mode == ssl.VerifyMode.CERT_REQUIRED + assert context.check_hostname is True +@@ -55,7 +54,7 @@ def test_load_ssl_config_verify_env_file(https_server, ca_cert_pem_file, config) + + + def test_load_ssl_config_verify_directory(): +- path = Path(certifi.where()).parent ++ path = Path("/etc/ssl/certs/ca-certificates.crt").parent + ssl_config = SSLConfig(verify=path) + context = ssl_config.ssl_context + assert context.verify_mode == ssl.VerifyMode.CERT_REQUIRED +-- +2.27.0 + @@ -3,24 +3,30 @@ _pkgname=httpx pkgname=python-httpx pkgver=0.13.3 -pkgrel=4 +pkgrel=5 pkgdesc="A next generation HTTP client for Python" arch=('any') url="https://github.com/encode/${_pkgname}" license=('BSD') -depends=('python-certifi' 'python-chardet' 'python-hstspreload' 'python-httpcore' 'python-idna' 'python-rfc3986' 'python-sniffio') +depends=('python-chardet' 'python-hstspreload' 'python-httpcore' 'python-idna' 'python-rfc3986' 'python-sniffio') optdepends=('python-brotli: for brotli response decompression') makedepends=('python-setuptools') checkdepends=('python-pytest-asyncio' 'python-pytest-trio' 'python-brotli' 'python-trustme' 'uvicorn') -source=("${pkgname}-${pkgver}.tar.gz::${url}/archive/${pkgver}.tar.gz") -sha512sums=('54cdee16e8253c221c3298817ccf63a4a0d6755a86feea2aa5a2efe9af44eb1eb0a578b21f593fe28fceace17b0a0badb52a66965c35bf456ea57dd3b905ebbe') -b2sums=('d3a56c2386841909668e34eaa78d202f91ad900230b9d1d4254bfa08312312d020e081aea2839dbb57d85fa26ccfc3f093404801c4dd5c47051f3c9fd2746552') +source=("${pkgname}-${pkgver}.tar.gz::${url}/archive/${pkgver}.tar.gz" + "0001-Do-not-override-the-system-SSL-certificates-with-the.patch") +sha512sums=('54cdee16e8253c221c3298817ccf63a4a0d6755a86feea2aa5a2efe9af44eb1eb0a578b21f593fe28fceace17b0a0badb52a66965c35bf456ea57dd3b905ebbe' + '9affdf1c41fc9660b0374d2adae8115aa01e31fa13d396a682593ff24248bf4b70fa1266d01a95281fab760265292c0d97f329f71b00e723ad71ae809c4e6235') +b2sums=('d3a56c2386841909668e34eaa78d202f91ad900230b9d1d4254bfa08312312d020e081aea2839dbb57d85fa26ccfc3f093404801c4dd5c47051f3c9fd2746552' + 'b96027d611901e65f90969f796c244acb8605243e2fd23eb2ea946b895464e6e89a39c9886de479f8561a4d55154e2a80dc21f6f29c201a36f7ca429c6962f9f') prepare() { cd "${srcdir}"/${_pkgname}-${pkgver} # do not run coverage in unittests! sed -i '/^addopts/d' setup.cfg + + # bad certifi + patch -p1 -i ../0001-Do-not-override-the-system-SSL-certificates-with-the.patch } build() { |