New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix #1680 - Use System SSL Certificates if Available #1866

Merged
merged 1 commit into from Jun 13, 2014

Conversation

Projects
None yet
1 participant
@dstufft
Member

dstufft commented Jun 13, 2014

No description provided.

@dstufft

This comment has been minimized.

Show comment
Hide comment
@dstufft

dstufft Jun 13, 2014

Member

Just a note:

Debian (and thus Ubuntu) and likely other OSs are patching ensurepip and virtualenv to use Wheels created from their modified copies of pip instead of Wheels created by upstream (us). This has the effect that if someone creates a virtual environment, and then upgrades or downgrades the pip inside that environment they'll switch from using the OS provided certificates to using the ones we happened to bundle via requests in that version of pip. This change will ideally make it so that going forward if someone does upgrade/downgrade their pip inside of a virtual environment (as long as it's too a 1.6+ version of pip) they will still be likely to be using the same set of certificates.

This however will not hold true if the OS uses a location that isn't in one of our hardcoded lists. There's not much we can do about that, hopefully if there's some location we've missed then we'll get a patch that adds it.

It's important to note that if we cannot find a system location, this patch will still fall back to whatever requests does, which for upstream requests (and us) it'll use the bundled ca bundle, however on *nix OSs this will likely point to the correct location anyways due to them patching requests. Of course that won't hold true if someone upgrades/downgrades their pip via PyPI again.

Member

dstufft commented Jun 13, 2014

Just a note:

Debian (and thus Ubuntu) and likely other OSs are patching ensurepip and virtualenv to use Wheels created from their modified copies of pip instead of Wheels created by upstream (us). This has the effect that if someone creates a virtual environment, and then upgrades or downgrades the pip inside that environment they'll switch from using the OS provided certificates to using the ones we happened to bundle via requests in that version of pip. This change will ideally make it so that going forward if someone does upgrade/downgrade their pip inside of a virtual environment (as long as it's too a 1.6+ version of pip) they will still be likely to be using the same set of certificates.

This however will not hold true if the OS uses a location that isn't in one of our hardcoded lists. There's not much we can do about that, hopefully if there's some location we've missed then we'll get a patch that adds it.

It's important to note that if we cannot find a system location, this patch will still fall back to whatever requests does, which for upstream requests (and us) it'll use the bundled ca bundle, however on *nix OSs this will likely point to the correct location anyways due to them patching requests. Of course that won't hold true if someone upgrades/downgrades their pip via PyPI again.

dstufft added a commit that referenced this pull request Jun 13, 2014

Merge pull request #1866 from dstufft/use-system-certs
Fix #1680 - Use System SSL Certificates if Available

@dstufft dstufft merged commit a88deeb into pypa:develop Jun 13, 2014

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details

@dstufft dstufft deleted the dstufft:use-system-certs branch Jun 13, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment