- update to 25.2

# 25.1
  * Drop support for Python 3.8.
  * On python 3.14+, the pkg_resources metadata backend cannot be used
    anymore.
  * Hide --no-python-version-warning from CLI help and documentation
    as it's useless since Python 2 support was removed.
  * A warning is emitted when the deprecated pkg_resources library is
    used to inspect and discover installed packages.
  * Deprecate the legacy setup.py bdist_wheel mechanism. To silence
    the warning, and future-proof their setup, users should enable
    --use-pep517 or add a pyproject.toml file to the projects they
    control.
  * Using --debug also enables verbose logging.
  * Display a transient progress bar during package installation.
  * Add a --group option which allows installation from PEP 735
    Dependency Groups.
  * Use PEP 753 "Well-known Project URLs in Metadata" normalization
    rules when identifying an equivalent project URL to replace
    a missing Home-Page field in pip show.
  * Add a new, experimental, pip lock command, implementing PEP 751.
  * Resolvelib 1.1.0 fixes a known issue where pip would report a
    ResolutionImpossible error even though there is a valid solution.
    However, some very complex dependency resolutions that previously
    resolved may resolve slower or fail with an ResolutionTooDeep error.
  # 25.2
  * Declare support for Python 3.14
  * Automatic download resumption and retrying is enabled by default.
  * Requires-Python error message displays version clauses in numerical
    order.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pip?expand=0&rev=142

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

_multibuild

@@ -0,0 +1,3 @@
+<multibuild>
+  <package>test</package>
+</multibuild>

disable-ssl-context-in-buildenv.patch

@@ -0,0 +1,30 @@
+Index: pip-24.2/src/pip/_vendor/requests/adapters.py
+===================================================================
+--- pip-24.2.orig/src/pip/_vendor/requests/adapters.py
++++ pip-24.2/src/pip/_vendor/requests/adapters.py
+@@ -81,7 +81,7 @@ try:
+     _preloaded_ssl_context.load_verify_locations(
+         extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
+     )
+-except ImportError:
++except (ImportError, FileNotFoundError, ssl.SSLError):
+     # Bypass default SSLContext creation when Python
+     # interpreter isn't built with the ssl module.
+     _preloaded_ssl_context = None
+Index: pip-24.2/src/pip/_internal/cli/index_command.py
+===================================================================
+--- pip-24.2.orig/src/pip/_internal/cli/index_command.py
++++ pip-24.2/src/pip/_internal/cli/index_command.py
+@@ -43,7 +43,11 @@ def _create_truststore_ssl_context() ->
+         return None
+ 
+     ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+-    ctx.load_verify_locations(certifi.where())
++    try:
++        ctx.load_verify_locations(certifi.where())
++    except (FileNotFoundError, ssl.SSLError):
++        logger.warning("Disabling truststore because of missing certificates")
++        return None
+     return ctx
+ 
+ 

distutils-reproducible-compile.patch

@@ -0,0 +1,17 @@
+---
+ src/pip/_vendor/distlib/wheel.py |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: pip-24.1.1/src/pip/_vendor/distlib/wheel.py
+===================================================================
+--- pip-24.1.1.orig/src/pip/_vendor/distlib/wheel.py
++++ pip-24.1.1/src/pip/_vendor/distlib/wheel.py
+@@ -578,7 +578,7 @@ class Wheel(object):
+             maker.source_dir = workdir
+             maker.target_dir = None
+             try:
+-                for zinfo in zf.infolist():
++                for zinfo in sorted(zf.infolist()):
+                     arcname = zinfo.filename
+                     if isinstance(arcname, text_type):
+                         u_arcname = arcname

flit-core.patch

@@ -0,0 +1,369 @@
+From 9abe08127cb666e9eef9e231d4bec0e89afdc830 Mon Sep 17 00:00:00 2001
+From: Damian Shaw <damian.peter.shaw@gmail.com>
+Date: Fri, 1 Aug 2025 20:59:08 -0400
+Subject: [PATCH 1/5] Use flit to build pip distributions
+
+---
+ .github/workflows/ci.yml                      |  2 +-
+ MANIFEST.in                                   | 34 -----------
+ build-project/build-requirements.in           |  2 +-
+ build-project/build-requirements.txt          | 16 +++--
+ .../html/development/architecture/anatomy.rst |  1 -
+ pyproject.toml                                | 60 +++++++++++--------
+ 6 files changed, 44 insertions(+), 71 deletions(-)
+ delete mode 100644 MANIFEST.in
+
+diff --git a/MANIFEST.in b/MANIFEST.in
+deleted file mode 100644
+index 998cb4f485e..00000000000
+--- a/MANIFEST.in
++++ /dev/null
+@@ -1,34 +0,0 @@
+-include NEWS.rst
+-include README.rst
+-include SECURITY.md
+-include pyproject.toml
+-
+-include build-project/build-requirements.in
+-include build-project/build-requirements.txt
+-include build-project/build-project.py
+-include build-project/.python-version
+-
+-include src/pip/_vendor/README.rst
+-include src/pip/_vendor/vendor.txt
+-
+-include docs/requirements.txt
+-
+-exclude .git-blame-ignore-revs
+-exclude .mailmap
+-exclude .readthedocs.yml
+-exclude .pre-commit-config.yaml
+-exclude .readthedocs-custom-redirects.yml
+-exclude noxfile.py
+-
+-recursive-include src/pip/_vendor *.pem
+-recursive-include src/pip/_vendor py.typed
+-recursive-include docs *.css *.py *.rst *.md
+-recursive-include docs *.dot *.png
+-
+-recursive-exclude src/pip/_vendor *.pyi
+-
+-prune .github
+-prune docs/build
+-prune news
+-prune tests
+-prune tools
+diff --git a/build-project/build-requirements.in b/build-project/build-requirements.in
+index 4bc215a28d0..07a76cea647 100644
+--- a/build-project/build-requirements.in
++++ b/build-project/build-requirements.in
+@@ -1,2 +1,2 @@
+ build
+-setuptools
++flit-core
+diff --git a/build-project/build-requirements.txt b/build-project/build-requirements.txt
+index c0cf0575088..65b647daf2c 100644
+--- a/build-project/build-requirements.txt
++++ b/build-project/build-requirements.txt
+@@ -8,17 +8,15 @@ build==1.2.2.post1 \
+     --hash=sha256:1d61c0887fa860c01971625baae8bdd338e517b836a2f70dd1f7aa3a6b2fc5b5 \
+     --hash=sha256:b36993e92ca9375a219c99e606a122ff365a760a2d4bba0caa09bd5278b608b7
+     # via -r build-requirements.in
+-packaging==24.2 \
+-    --hash=sha256:09abb1bccd265c01f4a3aa3f7a7db064b36514d2cba19a2f694fe6150451a759 \
+-    --hash=sha256:c228a6dc5e932d346bc5739379109d49e8853dd8223571c7c5b55260edc0b97f
++flit-core==3.12.0 \
++    --hash=sha256:18f63100d6f94385c6ed57a72073443e1a71a4acb4339491615d0f16d6ff01b2 \
++    --hash=sha256:e7a0304069ea895172e3c7bb703292e992c5d1555dd1233ab7b5621b5b69e62c
++    # via -r build-requirements.in
++packaging==25.0 \
++    --hash=sha256:29572ef2b1f17581046b3a2227d5c611fb25ec70ca1ba8554b24b0e69331a484 \
++    --hash=sha256:d443872c98d677bf60f6a1f2f8c1cb748e8fe762d2bf9d3148b5599295b0fc4f
+     # via build
+ pyproject-hooks==1.2.0 \
+     --hash=sha256:1e859bd5c40fae9448642dd871adf459e5e2084186e8d2c2a79a824c970da1f8 \
+     --hash=sha256:9e5c6bfa8dcc30091c74b0cf803c81fdd29d94f01992a7707bc97babb1141913
+     # via build
+-
+-# The following packages are considered to be unsafe in a requirements file:
+-setuptools==80.9.0 \
+-    --hash=sha256:062d34222ad13e0cc312a4c02d73f059e86a4acbfbdea8f8f76b28c99f306922 \
+-    --hash=sha256:f36b47402ecde768dbfafc46e8e4207b4360c654f1f3bb84475f0a28628fb19c
+-    # via -r build-requirements.in
+diff --git a/docs/html/development/architecture/anatomy.rst b/docs/html/development/architecture/anatomy.rst
+index d5e205654ff..7a0fefbfa63 100644
+--- a/docs/html/development/architecture/anatomy.rst
++++ b/docs/html/development/architecture/anatomy.rst
+@@ -18,7 +18,6 @@ The ``README``, license, ``pyproject.toml``, and so on are in the top level.
+ 
+ * ``AUTHORS.txt``
+ * ``LICENSE.txt``
+-* ``MANIFEST.in``
+ * ``NEWS.rst``
+ * ``pyproject.toml``
+ * ``README.rst``
+diff --git a/pyproject.toml b/pyproject.toml
+index 2da4e4aa2b5..7c68cc64433 100644
+--- a/pyproject.toml
++++ b/pyproject.toml
+@@ -1,6 +1,5 @@
+ [project]
+ dynamic = ["version"]
+-
+ name = "pip"
+ description = "The PyPA recommended tool for installing Python packages."
+ readme = "README.rst"
+@@ -46,12 +45,13 @@ Source = "https://github.com/pypa/pip"
+ Changelog = "https://pip.pypa.io/en/stable/news/"
+ 
+ [build-system]
+-requires = ["setuptools>=77"]
+-build-backend = "setuptools.build_meta"
++requires = ["flit-core >=3.11,<4"]
++build-backend = "flit_core.buildapi"
+ 
+ [dependency-groups]
+ test = [
+     "cryptography",
++    "flit-core >= 3.11, < 4",
+     "freezegun",
+     "installer",
+     # pytest-subket requires 7.0+
+@@ -73,37 +73,35 @@ test = [
+ ]
+ 
+ test-common-wheels = [
++    "flit-core >= 3.11, < 4",
+     # We pin setuptools<80 because our test suite currently
+     # depends on setup.py develop to generate egg-link files.
+     "setuptools >= 40.8.0, != 60.6.0, <80",
+     "wheel",
++    "flit-core",
+     # As required by pytest-cov.
+     "coverage >= 4.4",
+     "pytest-subket >= 0.8.1",
+ ]
+ 
+-[tool.setuptools]
+-package-dir = {"" = "src"}
+-include-package-data = false
+-
+-[tool.setuptools.dynamic]
+-version = {attr = "pip.__version__"}
+-
+-[tool.setuptools.packages.find]
+-where = ["src"]
+-exclude = ["contrib", "docs", "tests*", "tasks"]
+-
+-[tool.setuptools.package-data]
+-"pip" = ["py.typed"]
+-"pip._vendor" = ["vendor.txt"]
+-"pip._vendor.certifi" = ["*.pem"]
+-"pip._vendor.distlib" = [
+-    "t32.exe",
+-    "t64.exe",
+-    "t64-arm.exe",
+-    "w32.exe",
+-    "w64.exe",
+-    "w64-arm.exe",
++[tool.flit.sdist]
++include = [
++    "NEWS.rst",
++    "SECURITY.md",
++    "build-project/.python-version",
++    "build-project/build-project.py",
++    "build-project/build-requirements.in",
++    "build-project/build-requirements.txt",
++    "docs/requirements.txt",
++    "docs/**/*.css",
++    "docs/**/*.dot",
++    "docs/**/*.md",
++    "docs/**/*.png",
++    "docs/**/*.py",
++    "docs/**/*.rst",
++]
++exclude = [
++    "src/pip/_vendor/**/*.pyi",
+ ]
+ 
+ ######################################################################################
+@@ -362,3 +360,15 @@ exclude_also = [
+     # This excludes typing-specific code, which will be validated by mypy anyway.
+     "if TYPE_CHECKING",
+ ]
++
++[tool.check-sdist]
++git-only = [
++  "tests/**",
++  "tools/**",
++  "news/.gitignore",
++  ".gitattributes",
++  ".gitignore",
++  ".git-blame-ignore-revs",
++  ".mailmap",
++  ".readthedocs-custom-redirects.yml"
++]
+
+From 95f685d279473a401314a4b583ebbcf6ce4720af Mon Sep 17 00:00:00 2001
+From: Damian Shaw <damian.peter.shaw@gmail.com>
+Date: Fri, 1 Aug 2025 20:59:19 -0400
+Subject: [PATCH 2/5] Fix tests for flit
+
+---
+ tests/functional/test_freeze.py      | 41 ++++++++++++----------------
+ tests/functional/test_self_update.py |  3 ++
+ 2 files changed, 21 insertions(+), 23 deletions(-)
+
+diff --git a/tests/functional/test_freeze.py b/tests/functional/test_freeze.py
+index 0a7cedd11cb..9883beb87fd 100644
+--- a/tests/functional/test_freeze.py
++++ b/tests/functional/test_freeze.py
+@@ -99,38 +99,33 @@ def test_freeze_with_pip(script: PipTestEnvironment) -> None:
+ 
+ def test_freeze_with_setuptools(script: PipTestEnvironment) -> None:
+     """
+-    Test that pip shows setuptools only when --all is used
+-    or _should_suppress_build_backends() returns false
++    Test that pip shows setuptools only when --all is used on Python < 3.12,
++    otherwise it should be shown in default freeze output.
+     """
+ 
+     result = script.pip("freeze", "--all")
+     assert "setuptools==" in result.stdout
+ 
+-    (script.site_packages_path / "mock.pth").write_text("import mock\n")
+-
+-    (script.site_packages_path / "mock.py").write_text(
+-        textwrap.dedent(
+-            """\
+-                import pip._internal.commands.freeze as freeze
+-                freeze._should_suppress_build_backends = lambda: False
+-            """
+-        )
+-    )
+-
++    # Test the default behavior (without --all)
+     result = script.pip("freeze")
+-    assert "setuptools==" in result.stdout
+ 
+-    (script.site_packages_path / "mock.py").write_text(
+-        textwrap.dedent(
+-            """\
+-                import pip._internal.commands.freeze as freeze
+-                freeze._should_suppress_build_backends = lambda: True
+-            """
++    should_suppress = sys.version_info < (3, 12)
++    if should_suppress:
++        # setuptools should be hidden in default freeze output
++        assert "setuptools==" not in result.stdout, (
++            f"setuptools should be suppressed in Python {sys.version_info[:2]} "
++            f"but was found in freeze output: {result.stdout}"
++        )
++    else:
++        # setuptools should be shown in default freeze output
++        assert "setuptools==" in result.stdout, (
++            f"setuptools should be shown in Python {sys.version_info[:2]} "
++            f"but was not found in freeze output: {result.stdout}"
+         )
+-    )
+ 
+-    result = script.pip("freeze")
+-    assert "setuptools==" not in result.stdout
++    # --all should always show setuptools regardless of version
++    result_all = script.pip("freeze", "--all")
++    assert "setuptools==" in result_all.stdout
+ 
+ 
+ def test_exclude_and_normalization(script: PipTestEnvironment, tmpdir: Path) -> None:
+diff --git a/tests/functional/test_self_update.py b/tests/functional/test_self_update.py
+index 1331a87c319..9019e89211d 100644
+--- a/tests/functional/test_self_update.py
++++ b/tests/functional/test_self_update.py
+@@ -8,6 +8,9 @@ def test_self_update_editable(script: Any, pip_src: Any) -> None:
+     # mode, that pip can safely update itself to an editable install.
+     # See https://github.com/pypa/pip/issues/12666 for details.
+ 
++    # Install flit-core (build backend) since we use --no-build-isolation
++    script.pip("install", "flit-core")
++
+     # Step 1. Install pip as non-editable. This is expected to succeed as
+     # the existing pip in the environment is installed in editable mode, so
+     # it only places a .pth file in the environment.
+
+From 41352dfaae2b518b361158748303bf6b6a821336 Mon Sep 17 00:00:00 2001
+From: Damian Shaw <damian.peter.shaw@gmail.com>
+Date: Fri, 1 Aug 2025 20:59:26 -0400
+Subject: [PATCH 3/5] News entry
+
+---
+ news/13743.feature.rst | 2 ++
+ 1 file changed, 2 insertions(+)
+ create mode 100644 news/13743.feature.rst
+
+diff --git a/news/13743.feature.rst b/news/13743.feature.rst
+new file mode 100644
+index 00000000000..37f7db147f8
+--- /dev/null
++++ b/news/13743.feature.rst
+@@ -0,0 +1,2 @@
++Building pip itself from source now uses flit-core instead of setuptools.
++This does not affect how pip installs or builds packages you use.
+
+From a7807befc6905429eb4127b6765283155d0e97f3 Mon Sep 17 00:00:00 2001
+From: Damian Shaw <damian.peter.shaw@gmail.com>
+Date: Sat, 2 Aug 2025 13:04:24 -0400
+Subject: [PATCH 4/5] Install flit-core offline for `test_self_update_editable`
+
+---
+ tests/functional/test_self_update.py | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tests/functional/test_self_update.py b/tests/functional/test_self_update.py
+index 9019e89211d..bd09736aead 100644
+--- a/tests/functional/test_self_update.py
++++ b/tests/functional/test_self_update.py
+@@ -1,15 +1,16 @@
+ # Check that pip can update itself correctly
+ 
++from pathlib import Path
+ from typing import Any
+ 
+ 
+-def test_self_update_editable(script: Any, pip_src: Any) -> None:
++def test_self_update_editable(script: Any, pip_src: Any, common_wheels: Path) -> None:
+     # Test that if we have an environment with pip installed in non-editable
+     # mode, that pip can safely update itself to an editable install.
+     # See https://github.com/pypa/pip/issues/12666 for details.
+ 
+     # Install flit-core (build backend) since we use --no-build-isolation
+-    script.pip("install", "flit-core")
++    script.pip("install", "--no-index", "-f", common_wheels, "flit-core")
+ 
+     # Step 1. Install pip as non-editable. This is expected to succeed as
+     # the existing pip in the environment is installed in editable mode, so
+
+From d652eb9a847e061818ef07ba3e8e2f795a959c0f Mon Sep 17 00:00:00 2001
+From: Damian Shaw <damian.peter.shaw@gmail.com>
+Date: Wed, 6 Aug 2025 20:54:24 -0400
+Subject: [PATCH 5/5] Update pyproject.toml
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Co-authored-by: Stéphane Bidoul <stephane.bidoul@acsone.eu>
+---
+ pyproject.toml | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/pyproject.toml b/pyproject.toml
+index 7c68cc64433..56180b9d4a0 100644
+--- a/pyproject.toml
++++ b/pyproject.toml
+@@ -78,7 +78,6 @@ test-common-wheels = [
+     # depends on setup.py develop to generate egg-link files.
+     "setuptools >= 40.8.0, != 60.6.0, <80",
+     "wheel",
+-    "flit-core",
+     # As required by pytest-cov.
+     "coverage >= 4.4",
+     "pytest-subket >= 0.8.1",

pip-24.0-gh.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ad0dfe75fb28092a8cbe18523391695ceb0c0d65a5c9a969349fcb13b12b84c7
+size 9398156

pip-25.2-gh.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d09e469f9c6d829eb5094f8369912519c025868a772077e826afd161abd67aee
+size 9121715

pip-shipped-requests-cabundle.patch

@@ -0,0 +1,129 @@
+---
+ src/pip/_vendor/certifi/core.py |  105 +++-------------------------------------
+ tests/unit/test_options.py      |    5 +
+ 2 files changed, 13 insertions(+), 97 deletions(-)
+
+Index: pip-25.2/src/pip/_vendor/certifi/core.py
+===================================================================
+--- pip-25.2.orig/src/pip/_vendor/certifi/core.py
++++ pip-25.2/src/pip/_vendor/certifi/core.py
+@@ -3,81 +3,14 @@ certifi.py
+ ~~~~~~~~~~
+ 
+ This module returns the installation location of cacert.pem or its contents.
++Patched by openSUSE: return the system bundle
+ """
+-import sys
+-import atexit
++def read_text(_module=None, _path=None, encoding="ascii"):
++    with open(where(), "r", encoding=encoding) as data:
++        return data.read()
+ 
+-def exit_cacert_ctx() -> None:
+-    _CACERT_CTX.__exit__(None, None, None)  # type: ignore[union-attr]
++def where() -> str:
++    return "/etc/ssl/ca-bundle.pem"
+ 
+-
+-if sys.version_info >= (3, 11):
+-
+-    from importlib.resources import as_file, files
+-
+-    _CACERT_CTX = None
+-    _CACERT_PATH = None
+-
+-    def where() -> str:
+-        # This is slightly terrible, but we want to delay extracting the file
+-        # in cases where we're inside of a zipimport situation until someone
+-        # actually calls where(), but we don't want to re-extract the file
+-        # on every call of where(), so we'll do it once then store it in a
+-        # global variable.
+-        global _CACERT_CTX
+-        global _CACERT_PATH
+-        if _CACERT_PATH is None:
+-            # This is slightly janky, the importlib.resources API wants you to
+-            # manage the cleanup of this file, so it doesn't actually return a
+-            # path, it returns a context manager that will give you the path
+-            # when you enter it and will do any cleanup when you leave it. In
+-            # the common case of not needing a temporary file, it will just
+-            # return the file system location and the __exit__() is a no-op.
+-            #
+-            # We also have to hold onto the actual context manager, because
+-            # it will do the cleanup whenever it gets garbage collected, so
+-            # we will also store that at the global level as well.
+-            _CACERT_CTX = as_file(files("pip._vendor.certifi").joinpath("cacert.pem"))
+-            _CACERT_PATH = str(_CACERT_CTX.__enter__())
+-            atexit.register(exit_cacert_ctx)
+-
+-        return _CACERT_PATH
+-
+-    def contents() -> str:
+-        return files("pip._vendor.certifi").joinpath("cacert.pem").read_text(encoding="ascii")
+-
+-else:
+-
+-    from importlib.resources import path as get_path, read_text
+-
+-    _CACERT_CTX = None
+-    _CACERT_PATH = None
+-
+-    def where() -> str:
+-        # This is slightly terrible, but we want to delay extracting the
+-        # file in cases where we're inside of a zipimport situation until
+-        # someone actually calls where(), but we don't want to re-extract
+-        # the file on every call of where(), so we'll do it once then store
+-        # it in a global variable.
+-        global _CACERT_CTX
+-        global _CACERT_PATH
+-        if _CACERT_PATH is None:
+-            # This is slightly janky, the importlib.resources API wants you
+-            # to manage the cleanup of this file, so it doesn't actually
+-            # return a path, it returns a context manager that will give
+-            # you the path when you enter it and will do any cleanup when
+-            # you leave it. In the common case of not needing a temporary
+-            # file, it will just return the file system location and the
+-            # __exit__() is a no-op.
+-            #
+-            # We also have to hold onto the actual context manager, because
+-            # it will do the cleanup whenever it gets garbage collected, so
+-            # we will also store that at the global level as well.
+-            _CACERT_CTX = get_path("pip._vendor.certifi", "cacert.pem")
+-            _CACERT_PATH = str(_CACERT_CTX.__enter__())
+-            atexit.register(exit_cacert_ctx)
+-
+-        return _CACERT_PATH
+-
+-    def contents() -> str:
+-        return read_text("pip._vendor.certifi", "cacert.pem", encoding="ascii")
++def contents() -> str:
++    return read_text(encoding="ascii")
+Index: pip-25.2/tests/unit/test_options.py
+===================================================================
+--- pip-25.2.orig/tests/unit/test_options.py
++++ pip-25.2/tests/unit/test_options.py
+@@ -1,6 +1,7 @@
+ from __future__ import annotations
+ 
+ import os
++import os.path
+ from collections.abc import Iterator
+ from contextlib import contextmanager
+ from optparse import Values
+@@ -13,6 +14,7 @@ import pip._internal.configuration
+ from pip._internal.cli.main import main
+ from pip._internal.commands import create_command
+ from pip._internal.commands.configuration import ConfigurationCommand
++from pip._vendor.certifi import where
+ from pip._internal.exceptions import PipError
+ 
+ from tests.lib.options_helpers import AddFakeCommandMixin
+@@ -621,6 +623,9 @@ class TestOptionsConfigFiles:
+         else:
+             assert expect == cmd._determine_file(options, need_value=False)
+ 
++    def test_certificates(self):
++        assert os.path.exists(where())
++
+ 
+ class TestOptionsExpandUser(AddFakeCommandMixin):
+     def test_cache_dir(self) -> None:

python-pip.spec

@@ -0,0 +1,184 @@
+#
+# spec file for package python-pip
+#
+# Copyright (c) 2025 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%global flavor @BUILD_FLAVOR@%{nil}
+%if "%{flavor}" == "test"
+%define psuffix -test
+%bcond_without test
+%else
+%define psuffix %{nil}
+%bcond_with test
+%endif
+%if 0%{?suse_version} > 1500
+%bcond_without libalternatives
+%else
+%bcond_with libalternatives
+%endif
+# in order to avoid rewriting for subpackage generator
+%define mypython python
+%{?sle15_python_module_pythons}
+Name:           python-pip%{psuffix}
+Version:        25.2
+Release:        0
+Summary:        A Python package management system
+License:        MIT
+URL:            https://pip.pypa.io
+# The PyPI archive lacks the tests
+Source:         https://github.com/pypa/pip/archive/%{version}.tar.gz#/pip-%{version}-gh.tar.gz
+# PATCH-FIX-OPENSUSE pip-shipped-requests-cabundle.patch -- adapted patch from python-certifi package
+Patch0:         pip-shipped-requests-cabundle.patch
+# PATCH-FIX-OPENSUSE: deal missing ca-certificates as "ssl not available"
+Patch1:         disable-ssl-context-in-buildenv.patch
+# PATCH-FIX-UPSTREAM https://github.com/pypa/pip/pull/13473 Use flit-core to build pip distributions
+# setuptools was unable to handle the new license expression for some reason
+Patch2:         flit-core.patch
+BuildRequires:  %{python_module base >= 3.9}
+BuildRequires:  %{python_module flit-core >= 3.11}
+# The rpm python-wheel build is bootstrap friendly since 0.42
+BuildRequires:  %{python_module wheel}
+BuildRequires:  fdupes
+BuildRequires:  python-rpm-macros >= 20210929
+Requires:       ca-certificates
+Requires:       coreutils
+Recommends:     ca-certificates-mozilla
+BuildArch:      noarch
+%if %{with libalternatives}
+BuildRequires:  alts
+Requires:       alts
+%else
+Requires(post): update-alternatives
+Requires(postun): update-alternatives
+%endif
+%if %{with test}
+BuildRequires:  %{python_module PyYAML}
+BuildRequires:  %{python_module Werkzeug}
+BuildRequires:  %{python_module cryptography}
+BuildRequires:  %{python_module freezegun}
+BuildRequires:  %{python_module installer}
+# Test requirements:
+BuildRequires:  %{python_module pip = %{version}}
+BuildRequires:  %{python_module pretend}
+BuildRequires:  %{python_module pytest-socket}
+BuildRequires:  %{python_module pytest-xdist}
+BuildRequires:  %{python_module pytest}
+BuildRequires:  %{python_module scripttest}
+BuildRequires:  %{python_module setuptools-wheel}
+BuildRequires:  %{python_module virtualenv >= 1.10}
+BuildRequires:  ca-certificates-mozilla
+BuildRequires:  git-core
+%endif
+%python_subpackages
+
+%description
+Pip is a replacement for easy_install. It uses mostly the same techniques for
+finding packages, so packages that were made easy_installable should be
+pip-installable as well.
+
+%package wheel
+Summary:        The pip wheel for custom tests and install requirements
+Requires:       %mypython(abi) = %python_version
+
+%description wheel
+This packages provides the pip wheel as separate file for cases where
+the wheel needs to be used directly in test or install setups
+
+%prep
+# Unbundling is not advised by upstream. See src/pip/_vendor/README.rst
+# Exception: Use our own cabundle. Adapted patch from python-certifi package
+%autosetup -p1 -n pip-%{version}
+
+%if %{with test}
+mkdir -p tests/data/common_wheels
+%python_expand cp %{$python_sitelib}/../wheels/setuptools*.whl tests/data/common_wheels/
+%endif
+# remove shebangs verbosely (if only sed would offer a verbose mode...)
+for f in $(find src -name \*.py -exec grep -l '^#!%{_bindir}/env' {} \;); do
+    sed -i 's|^#!%{_bindir}/env .*$||g' $f
+done
+
+# Remove windows executable binaries
+# bsc#1212015
+rm -v src/pip/_vendor/distlib/*.exe
+
+%build
+%if !%{with test}
+%{python_expand # bootstrap with built-in pip
+$python -m venv build/env
+build/env/bin/python -m ensurepip
+export PYTHONPATH=build/env/lib/python%{$python_bin_suffix}/site-packages
+%{$python_pyproject_wheel}
+}
+%endif
+
+%install
+%if !%{with test}
+%{python_expand # use pip bootstrapped above
+export PYTHONPATH=build/env/lib/python%{$python_bin_suffix}/site-packages
+%{$python_pyproject_install}
+install -D -m 0644 -t %{buildroot}%{$python_sitelib}/../wheels dist/*.whl
+%fdupes %{buildroot}%{$python_sitelib}
+}
+
+%{python_expand # Fix shebang path for "pip3.XX" binaries
+sed -i "1s|#\!.*python.*|#\!%{_bindir}/$python|" %{buildroot}%{_bindir}/pip%{$python_bin_suffix}
+}
+
+%python_clone -a %{buildroot}%{_bindir}/pip
+%python_clone -a %{buildroot}%{_bindir}/pip3
+%python_expand %fdupes %{buildroot}%{_bindir}
+%endif
+
+%if %{with test}
+%check
+%pytest -m "not network" tests/unit
+%endif
+
+%pre
+# Since /usr/bin/pip became ghosted to be used with update-alternatives, we have to get rid
+# of the old binary resulting from the non-update-alternatives-ified package:
+[ -h %{_bindir}/pip ] || rm -f %{_bindir}/pip
+[ -h %{_bindir}/pip3 ] || rm -f %{_bindir}/pip3
+# If libalternatives is used: Removing old update-alternatives entries.
+%python_libalternatives_reset_alternative pip
+
+%post
+# keep the alternative groups separate. Users could decide to let pip and pip3 point to
+# different flavors
+%python_install_alternative pip
+%python_install_alternative pip3
+
+%postun
+%python_uninstall_alternative pip
+%python_uninstall_alternative pip3
+
+%if !%{with test}
+%files %{python_files}
+%license LICENSE.txt
+%doc AUTHORS.txt NEWS.rst README.rst
+%python_alternative %{_bindir}/pip
+%python_alternative %{_bindir}/pip3
+%{_bindir}/pip%{python_bin_suffix}
+%{python_sitelib}/pip-%{version}.dist-info
+%{python_sitelib}/pip
+
+%files %{python_files wheel}
+%dir %{python_sitelib}/../wheels
+%{python_sitelib}/../wheels/*
+%endif
+
+%changelog