Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Fix #1680 - Use System SSL Certificates if Available #1866
Just a note:
Debian (and thus Ubuntu) and likely other OSs are patching ensurepip and virtualenv to use Wheels created from their modified copies of pip instead of Wheels created by upstream (us). This has the effect that if someone creates a virtual environment, and then upgrades or downgrades the pip inside that environment they'll switch from using the OS provided certificates to using the ones we happened to bundle via requests in that version of pip. This change will ideally make it so that going forward if someone does upgrade/downgrade their pip inside of a virtual environment (as long as it's too a 1.6+ version of pip) they will still be likely to be using the same set of certificates.
This however will not hold true if the OS uses a location that isn't in one of our hardcoded lists. There's not much we can do about that, hopefully if there's some location we've missed then we'll get a patch that adds it.
It's important to note that if we cannot find a system location, this patch will still fall back to whatever requests does, which for upstream requests (and us) it'll use the bundled ca bundle, however on *nix OSs this will likely point to the correct location anyways due to them patching requests. Of course that won't hold true if someone upgrades/downgrades their pip via PyPI again.