Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

wrong usage of certifi #760

Closed
matejcik opened this issue Aug 23, 2016 · 0 comments
Closed

wrong usage of certifi #760

matejcik opened this issue Aug 23, 2016 · 0 comments

Comments

@matejcik
Copy link

@matejcik matejcik commented Aug 23, 2016

https://github.com/pypa/setuptools/blob/master/setuptools/ssl_support.py#L245
This line fetches the install directory of certifi and extracts file cacert.pem from it.

Although certifi labels itself as a trust root source, due to its commonness, it is a good vector for injecting OS-provided trust root for a huge number of Python packages at the same time. At SUSE, we patch the certifi.where() method to return the system trust root bundle and remove the installed trust root. That obviously cannot work when a package accesses the pem file directly.

It is also fragile: certifi could rename their pem bundle at any time, because it's not part of their API.

The line should be replaced with:

import certifi
return certifi.where()

I'll try to send a PR when I get to it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants