ensure we only bundle certifi on linux builds

Author: ewdurbin

cpython-unix/Makefile

@@ -254,7 +254,7 @@ PYTHON_DEPENDS_$(1) := \
     $$(if$$(NEED_AUTOCONF),$$(OUTDIR)/autoconf-$$(AUTOCONF_VERSION)-$$(PACKAGE_SUFFIX).tar) \
     $$(if $$(NEED_BDB),$$(OUTDIR)/bdb-$$(BDB_VERSION)-$$(PACKAGE_SUFFIX).tar) \
     $$(if $$(NEED_BZIP2),$$(OUTDIR)/bzip2-$$(BZIP2_VERSION)-$$(PACKAGE_SUFFIX).tar) \
-    $$(OUTDIR)/certifi-$$(CERTIFI_VERSION)-$$(PACKAGE_SUFFIX).tar \
+    $$(if $$(NEED_CERTIFI),$$(OUTDIR)/certifi-$$(CERTIFI_VERSION)-$$(PACKAGE_SUFFIX).tar) \
     $$(if $$(NEED_EXPAT),$$(OUTDIR)/expat-$$(EXPAT_VERSION)-$$(PACKAGE_SUFFIX).tar) \
     $$(if $$(NEED_LIBEDIT),$$(OUTDIR)/libedit-$$(LIBEDIT_VERSION)-$$(PACKAGE_SUFFIX).tar) \
     $$(if $$(NEED_LIBFFI_3_3),$$(OUTDIR)/libffi-3.3-$$(LIBFFI_3.3_VERSION)-$$(PACKAGE_SUFFIX).tar) \

cpython-unix/patch-cpython-redhat-cert-file.patch

@@ -13,16 +13,24 @@ index 42ebb8ed384..c15c0ec940f 100644
 
      sslsocket_class = None  # SSLSocket is assigned later.
      sslobject_class = None  # SSLObject is assigned later.
-@@ -531,6 +534,34 @@ def load_default_certs(self, purpose=Purpose.SERVER_AUTH):
+@@ -531,6 +534,38 @@ def load_default_certs(self, purpose=Purpose.SERVER_AUTH):
          if sys.platform == "win32":
              for storename in self._windows_cert_stores:
                  self._load_windows_store_certs(storename, purpose)
-+        else:
-+            def _cert_dir_has_entries(path):
++        elif sys.platform == "linux":
++            def _has_hashed_certs(path):
 +                if not os.path.isdir(path):
 +                    return False
 +                try:
-+                    return next(os.scandir(path), None) is not None
++                    for entry in os.scandir(path):
++                        name, dot, suffix = entry.name.partition(".")
++                        if dot and len(name) == 8 and suffix.isdigit():
++                            try:
++                                int(name, 16)
++                            except ValueError:
++                                continue
++                            return True
++                    return False
 +                except OSError:
 +                    return False
 +
@@ -31,15 +39,14 @@ index 42ebb8ed384..c15c0ec940f 100644
 +                _def_paths[0] in os.environ or os.path.isfile(_def_paths[1])
 +            )
 +            _has_cert_dir = (
-+                _def_paths[2] in os.environ or _cert_dir_has_entries(_def_paths[3])
++                _def_paths[2] in os.environ or _has_hashed_certs(_def_paths[3])
 +            )
-+            if sys.platform == "linux":
-+                if not _has_cert_file and os.path.isfile(self._FALLBACK_CERT_FILE):
-+                    self.load_verify_locations(cafile=self._FALLBACK_CERT_FILE)
-+                    _has_cert_file = True
-+                if not _has_cert_dir and _cert_dir_has_entries(self._FALLBACK_CERT_DIR):
-+                    self.load_verify_locations(capath=self._FALLBACK_CERT_DIR)
-+                    _has_cert_dir = True
++            if not _has_cert_file and os.path.isfile(self._FALLBACK_CERT_FILE):
++                self.load_verify_locations(cafile=self._FALLBACK_CERT_FILE)
++                _has_cert_file = True
++            if not _has_cert_dir and _has_hashed_certs(self._FALLBACK_CERT_DIR):
++                self.load_verify_locations(capath=self._FALLBACK_CERT_DIR)
++                _has_cert_dir = True
 +            if (self._STANDALONE_CERT_FALLBACK_ENV not in os.environ and
 +                not _has_cert_file and
 +                not _has_cert_dir and

docs/quirks.rst

@@ -74,9 +74,9 @@ ncurses/libedit/readline are loaded.
 Fallback CA Certificate Bundle
 ==============================
 
-On Unix platforms, Python prefers the trust store provided by the host
-operating system. When none of the usual host certificate locations exist,
-these distributions fall back to a bundled CA certificate file at
+On Linux, Python prefers the trust store provided by the host operating
+system. When none of the usual host certificate locations exist, these
+distributions fall back to a bundled CA certificate file at
 ``etc/ssl/cert.pem`` inside the Python installation.
 
 The bundled file is a safety net for minimal environments such as scratch-like

pythonbuild/utils.py

@@ -100,15 +100,26 @@ def target_needs(yaml_path: pathlib.Path, target: str):
     settings = get_targets(yaml_path)[target]
 
     needs = set(settings["needs"])
-    # Every Unix distribution ships a fallback CA bundle.
-    needs.add("certifi")
+    # Linux distributions ship a fallback CA bundle for minimal images.
+    if "-linux-" in target:
+        needs.add("certifi")
 
     # Ship libedit linked readline extension to avoid a GPL dependency.
     needs.discard("readline")
 
     return needs
 
 
+def target_makefile_needs(target: str, settings: dict) -> set[str]:
+    """Obtain dependency names that should be emitted into target Makefiles."""
+    needs = set(settings.get("needs", []))
+
+    if "-linux-" in target:
+        needs.add("certifi")
+
+    return needs
+
+
 def release_tag_from_git():
     return (
         subprocess.check_output(
@@ -192,7 +203,7 @@ def write_triples_makefiles(
             makefile_path = dest_dir / ("Makefile.%s.%s" % (host_platform, triple))
 
             lines = []
-            for need in settings.get("needs", []):
+            for need in sorted(target_makefile_needs(triple, settings)):
                 lines.append(
                     "NEED_%s := 1\n" % need.upper().replace("-", "_").replace(".", "_")
                 )