While hacking on Anitya yesterday, an idea occurred to me that may help address the SSL/TLS cert bundling problem in a way that doesn't require patching of modules and hence can be made compatible with virtual environments.
Specifically, I had the idea of adding a new "--symlink <file-pattern>@<link-target>" option to pip, such that you could do things like:
"pip install -r requirements.txt --symlink cacerts.txt@ /etc/pki/tls/certs/ca-bundle.crt"
to replace any file called "cacerts.txt" in the packages being installed with a symlink to "/etc/pki/tls/certs/ca-bundle.crt" instead (cacerts.txt is the name httplib2 uses for its cert bundle).
Since we patch `python3-certifi` to use the system bundle, and running `certifi` as a script prints the location of the cert bundle it is using, that would mean you could do things like:
sudo dnf install python3-certifi python -m pip install requests --symlink cacert.pem@`/usr/bin/python3 -m certifi`
and end up with an *unpatched* requests in the virtual environment that was nevertheless still using the system certificate store.
I filed that idea on the pip issue tracker at https://github.com/pypa/pip/issues/4197 but figured I should raise it here as well, as if something like this was added, then Fedora could be updated to use a standard symlink map when building RPMs, and the developer portal could be updated with suggest `pip.conf` settings to use the system cert bundle by default.
Cheers, Nick.
On Fri, Dec 23, 2016 at 05:37:51PM +1000, Nick Coghlan wrote:
I filed that idea on the pip issue tracker at https://github.com/pypa/pip/issues/4197 but figured I should raise it here as well, as if something like this was added, then Fedora could be updated to use a standard symlink map when building RPMs, and the developer portal could be updated with suggest `pip.conf` settings to use the system cert bundle by default. Nick.
Seems like a good idea.
Can't we just ship a pip.conf that defaults to using the system cert bundle, rather than merely suggest it?
John.
On 24 December 2016 at 02:38, John Dulaney jdulaney@fedoraproject.org wrote:
On Fri, Dec 23, 2016 at 05:37:51PM +1000, Nick Coghlan wrote:
I filed that idea on the pip issue tracker at https://github.com/pypa/pip/issues/4197 but figured I should raise it
here
as well, as if something like this was added, then Fedora could be
updated
to use a standard symlink map when building RPMs, and the developer
portal
could be updated with suggest `pip.conf` settings to use the system cert bundle by default. Nick.
Seems like a good idea.
Can't we just ship a pip.conf that defaults to using the system cert bundle, rather than merely suggest it?
I'm not sure that makes sense as a general default, as it's relatively rare for a developer's laptop to 100% match the production deployment environment, which means not using the system cert store really is a better default for virtual environments in Fedora Workstation.
The case for using the system certs by default would be stronger for Fedora Server, Atomic, and the base cloud images, though (as those generally *are* deployment environments).
Cheers, Nick.
python-devel@lists.fedoraproject.org