PKG-2849: initial build for defaults

[rafaelmartins]

This is a requirement for a new conda feature.

A few comments:

• this library may use the certificate store from the system, "leaking" our environment "sandbox". some issue may arise if the users' systems somehow have the certs installed in non-default paths, but I believe that this is expected behavior.
• despite the library mentioning openssl, the actual openssl library or pyopenssl are not required by the library, as it relies on the ssl module, that encapsulates whatever ssl implementation python was built against.

cc @jezdez

[JeanChristopheMorinPerso]

this library may use the certificate store from the system, "leaking" our environment "sandbox". some issue may arise if the users' systems somehow have the certs installed in non-default paths, but I believe that this is expected behavior.

I'm no expert in OpenSSL stuff, but I'm guessing that there is a difference between the system store and the default store (the one we provide through the ca-certificates package)?

[rafaelmartins]

this library may use the certificate store from the system, "leaking" our environment "sandbox". some issue may arise if the users' systems somehow have the certs installed in non-default paths, but I believe that this is expected behavior.

I'm no expert in OpenSSL stuff, but I'm guessing that there is a difference between the system store and the default store (the one we provide through the ca-certificates package)?

exactly, but only if ca-certificates is missing from the environment, which is at least unlikely. maybe we should add a hard dependency on it for this package?

[JeanChristopheMorinPerso]

Our OpenSSL package already has a dependency on ca-certificates and I made sure not too long ago that it's effectively used on Windows too.

But it makes me think, how would customers be able to make use of their own truststore in the traditional sense (thinking about Windows here, which has its own API to access the truststore)... Which one would win, the ca-certificates provided store or the system store?

[rafaelmartins]

Our OpenSSL package already has a dependency on ca-certificates and I made sure not too long ago that it's effectively used on Windows too.

But it makes me think, how would customers be able to make use of their own truststore in the traditional sense (thinking about Windows here, which has its own API to access the truststore)... Which one would win, the ca-certificates provided store or the system store?

for windows and mac the library uses the system store via the OS SDK instead of handling .pem files. In this case we don't have any control, and afaics it always uses the external certificates.

[JeanChristopheMorinPerso]

Great, thanks for the clarifications @rafaelmartins!

[anaconda-pkg-build]

Linter check found the following problems:

The following problems have been found:

ERROR: clone/recipe/meta.yaml:22: missing_wheel: For pypi packages, wheel should be present in the host section
Errors were found

[sethmlarson]

Very exciting stuff, thanks everyone for your work here! 🚀

[anaconda-pkg-build]

Linter check found the following problems:

The following problems have been found:

ERROR: clone/recipe/meta.yaml:22: missing_wheel: For pypi packages, wheel should be present in the host section
Errors were found