fetchPypiLegacy: Pass cacert to enable TLS verification when username/password is used

The intent was for TLS verification to be enabled when transfering credentials only, and normally disabled for long-term reproducibility.

See https://github.com/nix-community/poetry2nix/issues/1740

pkgs/build-support/fetchpypilegacy/default.nix

@@ -3,7 +3,8 @@
   runCommand,
   lib,
   python3,
-}:
+  cacert,
+}@pkgs:
 let
   inherit (lib)
     optionalAttrs
@@ -18,6 +19,7 @@ let
 
   impureEnvVars = fetchers.proxyImpureEnvVars ++ optional inPureEvalMode "NETRC";
 in
+lib.makeOverridable (
   {
     # package name
     pname,
@@ -31,6 +33,8 @@ in
     hash,
     # allow overriding the derivation name
     name ? null,
+    # allow overriding cacert using src.override { cacert = cacert.override { extraCertificateFiles = [ ./path/to/cert.pem ]; }; }
+    cacert ? pkgs.cacert,
   }:
   let
     urls' = urls ++ optional (url != null) url;
@@ -44,7 +48,10 @@ assert urls' != [ ];
   runCommand file
     (
       {
-      nativeBuildInputs = [ python3 ];
+        nativeBuildInputs = [
+          python3
+          cacert
+        ];
         inherit impureEnvVars;
         outputHashMode = "flat";
         # if hash is empty select a default algo to let nix propose the actual hash.
@@ -60,3 +67,4 @@ runCommand file
       } --pname ${pname} --filename ${file}
       mv ${file} $out
     ''
+)