component/ca-certificates: don't use implicit `python`

We can not rely on system python here, it's a bit better to rely on buildout's python ( the main reason is that it complies with slapos-sr-testing not having system python ). The implementation is a bit complicated, we can not just reference ${buildout:executable} in the profile, because doing so will cause an infinite loop with rebootstrap and software installation never finish because options of ca-certificates change at every run if they include the python path. Instead, we use a pre-make-hook to rewrite the Makefile without saving the interpreter in option. This python is only used during the build process (to generate the certificate files) and not used at run time, so it does not really depend on python strictly speaking. Anyway, because it's a component used very early in the bootstrap, we can not reference python here.

component/ca-certificates: don't use implicit `python`
We can not rely on system python here, it's a bit better to rely on buildout's python ( the main reason is that it complies with slapos-sr-testing not having system python ). The implementation is a bit complicated, we can not just reference ${buildout:executable} in the profile, because doing so will cause an infinite loop with rebootstrap and software installation never finish because options of ca-certificates change at every run if they include the python path. Instead, we use a pre-make-hook to rewrite the Makefile without saving the interpreter in option. This python is only used during the build process (to generate the certificate files) and not used at run time, so it does not really depend on python strictly speaking. Anyway, because it's a component used very early in the bootstrap, we can not reference python here.
b3d4ce61 · Jérome Perrin · f57c57a3 · b3d4ce61 · b3d4ce61 · b3d4ce61
Commit b3d4ce61 authored Oct 12, 2023 by Jérome Perrin
3 changed files
--- a/component/ca-certificates/buildout.cfg
+++ b/component/ca-certificates/buildout.cfg
@@ -16,7 +16,7 @@ url = https://deb.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_
 md5sum = fc1c3ec0067385f0be8ac7f6e670a0f8
 patch-binary = ${patch:location}/bin/patch
 patches =
-  ${:_profile_base_location_}/ca-certificates-any-python.patch#c13b44dfc3157dda13a9a2ff97a9d501
+  ${:_profile_base_location_}/ca-certificates-any-python.patch#a5817d1b7162f8f814960f72c747e3af
  ${:_profile_base_location_}/ca-certificates-mkdir-p.patch#02ed8a6d60c39c4b088657888af345ef
  ${:_profile_base_location_}/ca-certificates-no-cryptography.patch#14ad1308623b0d15420906ae3d9b4867
 patch-options = -p0
@@ -24,3 +24,5 @@ configure-command = true
 make-targets = install DESTDIR=@@LOCATION@@ CERTSDIR=certs SBINDIR=sbin
 environment =
  PATH=${xz-utils:location}/bin:%(PATH)s
+pre-make-hook =
+  ${:_profile_base_location_}/ca-certificates-pre-make-hook.py#9e2f6f22d91ea7a089f0ea2c523b0c1e:pre_make_hook
--- a/component/ca-certificates/ca-certificates-any-python.patch
+++ b/component/ca-certificates/ca-certificates-any-python.patch
@@ -11,13 +11,12 @@
     if line.startswith('CKA_CLASS'):
 --- mozilla/Makefile	2015-12-20 10:49:23.000000000 +0100
 +++ mozilla/Makefile	2016-01-05 20:19:11.006874271 +0100
-@@ -3,7 +3,8 @@
+@@ -3,7 +3,7 @@
 #
 
 all:
 -	python3 certdata2pem.py
-+	for x in 3 '' 2; do type python$$x && break; done >/dev/null \
-+	&& python$$x certdata2pem.py
+	SLAPOS_BUILDOUT_PYTHON certdata2pem.py
 
 clean:
 	-rm -f *.crt
--- a/component/ca-certificates/ca-certificates-pre-make-hook.py
+++ b/component/ca-certificates/ca-certificates-pre-make-hook.py
+import pathlib
+import sys
+
+def pre_make_hook(options, buildout, environ):
+  makefile = pathlib.Path('mozilla/Makefile')
+  txt = makefile.read_text().replace('SLAPOS_BUILDOUT_PYTHON', sys.executable)
+  makefile.write_text(txt)