New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

wrong usage of certifi #760

Closed
matejcik opened this Issue Aug 23, 2016 · 0 comments

Comments

Projects
None yet
2 participants
@matejcik

matejcik commented Aug 23, 2016

https://github.com/pypa/setuptools/blob/master/setuptools/ssl_support.py#L245
This line fetches the install directory of certifi and extracts file cacert.pem from it.

Although certifi labels itself as a trust root source, due to its commonness, it is a good vector for injecting OS-provided trust root for a huge number of Python packages at the same time. At SUSE, we patch the certifi.where() method to return the system trust root bundle and remove the installed trust root. That obviously cannot work when a package accesses the pem file directly.

It is also fragile: certifi could rename their pem bundle at any time, because it's not part of their API.

The line should be replaced with:

import certifi
return certifi.where()

I'll try to send a PR when I get to it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment