fetchPypiLegacy: Pass cacert to enable TLS verification when username/password is used

The intent was for TLS verification to be enabled when transfering credentials only, and normally disabled for long-term reproducibility.

See https://github.com/nix-community/poetry2nix/issues/1740

pkgs/build-support/fetchpypilegacy/default.nix

@@ -3,7 +3,8 @@
   runCommand,
   lib,
   python3,
-}:
+  cacert,
+}@pkgs:
 let
   inherit (lib)
     optionalAttrs
@@ -18,7 +19,8 @@ let
 
   impureEnvVars = fetchers.proxyImpureEnvVars ++ optional inPureEvalMode "NETRC";
 in
-{
+lib.makeOverridable (
+  {
     # package name
     pname,
     # Package index
@@ -31,20 +33,25 @@ in
     hash,
     # allow overriding the derivation name
     name ? null,
-}:
-let
+    # allow overriding cacert using src.override { cacert = cacert.override { extraCertificateFiles = [ ./path/to/cert.pem ]; }; }
+    cacert ? pkgs.cacert,
+  }:
+  let
     urls' = urls ++ optional (url != null) url;
 
     pathParts = filter ({ prefix, path }: "NETRC" == prefix) builtins.nixPath;
     netrc_file = if (pathParts != [ ]) then (head pathParts).path else "";
 
-in
-# Assert that we have at least one URL
-assert urls' != [ ];
-runCommand file
+  in
+  # Assert that we have at least one URL
+  assert urls' != [ ];
+  runCommand file
     (
       {
-      nativeBuildInputs = [ python3 ];
+        nativeBuildInputs = [
+          python3
+          cacert
+        ];
         inherit impureEnvVars;
         outputHashMode = "flat";
         # if hash is empty select a default algo to let nix propose the actual hash.
@@ -60,3 +67,4 @@ runCommand file
       } --pname ${pname} --filename ${file}
       mv ${file} $out
     ''
+)