Bug 1655253

Summary: pip and pipenv are using bundled certifi and a bundled root certificate
Product: [Fedora] Fedora Reporter: Miro Hrončok <mhroncok>
Component: python-pipAssignee: Miro Hrončok <mhroncok>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: bkabrda, cheimes, cstratak, metherid, mhroncok, ncoghlan, python-maint, tflink, TicoTimo, torsava
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-pip-18.1-2.fc30, pipenv-2018.11.26-2.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1655255 (view as bug list) Environment:
Last Closed: 2019-01-04 16:49:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1655255, 1659440, 1659550, 1659551    

Description Miro Hrončok 2018-12-01 23:25:48 UTC 
In the Fedora's python-certifi package, we patch the logic to not use the bundled root certificate, but the system one instead:

https://src.fedoraproject.org/rpms/python-certifi/blob/master/f/certifi-2018.10.15-use-system-cert.patch

https://src.fedoraproject.org/rpms/python-certifi/blob/f27/f/python-certifi.spec#_71 (using f27 branch here to have a stable line number)

python-pip bundles it's own certifi (and for multiple reasons we don't unbundle stuff from pip), pipenv bundles a patched version of pip. We should make sure to apply the same patch in both.

certifi is a (rather insecure) hack for platforms that don't have a good central location for the root certificates, we should not be using their pem cerificate from pip or pipenv.
Comment 1 Miro Hrončok 2018-12-03 15:48:19 UTC 
https://src.fedoraproject.org/rpms/python-pip/pull-request/21
Comment 2 Charalampos Stratakis 2018-12-12 15:36:29 UTC 
What's the status of that?
Comment 3 Miro Hrončok 2018-12-12 19:09:16 UTC 
The PR broke virtualenv. I've fixed it upstream. Needs backport. If you'd like to help, propose a Fedora python-virtualenv PR. Or I'll get to it tomorrow.

Details in:

https://src.fedoraproject.org/rpms/python-pip/pull-request/21

And

https://github.com/pypa/virtualenv/pull/1252
Comment 4 Miro Hrončok 2018-12-13 09:06:46 UTC 
https://src.fedoraproject.org/rpms/python-virtualenv/pull-request/7
Comment 5 Miro Hrončok 2018-12-19 15:28:29 UTC 
https://src.fedoraproject.org/rpms/pipenv/pull-request/7