Fix #1680 - Use System SSL Certificates if Available #1866
Conversation
|
Just a note: Debian (and thus Ubuntu) and likely other OSs are patching ensurepip and virtualenv to use Wheels created from their modified copies of pip instead of Wheels created by upstream (us). This has the effect that if someone creates a virtual environment, and then upgrades or downgrades the pip inside that environment they'll switch from using the OS provided certificates to using the ones we happened to bundle via requests in that version of pip. This change will ideally make it so that going forward if someone does upgrade/downgrade their pip inside of a virtual environment (as long as it's too a 1.6+ version of pip) they will still be likely to be using the same set of certificates. This however will not hold true if the OS uses a location that isn't in one of our hardcoded lists. There's not much we can do about that, hopefully if there's some location we've missed then we'll get a patch that adds it. It's important to note that if we cannot find a system location, this patch will still fall back to whatever requests does, which for upstream requests (and us) it'll use the bundled ca bundle, however on *nix OSs this will likely point to the correct location anyways due to them patching requests. Of course that won't hold true if someone upgrades/downgrades their pip via PyPI again. |
Fix #1680 - Use System SSL Certificates if Available
lock
bot
added
the
auto-locked
No description provided.