Bug 1655255

Summary: pip is using bundled certifi and a bundled root certificate
Product: Red Hat Enterprise Linux 8 Reporter: Miro Hrončok <mhroncok>
Component: python36-3.6-moduleAssignee: Python Maintainers <python-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Maryna Nalbandian <mnalband>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: agk, cheimes, cstratak, jkejda, mhroncok, pviktori
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-pip-9.0.3-13.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1655253
: 1659440 1659550 (view as bug list) Environment:
Last Closed: 2019-06-14 00:51:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1655253    
Bug Blocks: 1659440    
Attachments:
Description Flags
dist git patch for python-virtualenv none

Description Miro Hrončok 2018-12-01 23:30:33 UTC 
+++ This bug was initially created as a clone of Bug #1655253 +++

In the Fedora's python-certifi package, we patch the logic to not use the bundled root certificate, but the system one instead:

https://src.fedoraproject.org/rpms/python-certifi/blob/master/f/certifi-2018.10.15-use-system-cert.patch

https://src.fedoraproject.org/rpms/python-certifi/blob/f27/f/python-certifi.spec#_71 (using f27 branch here to have a stable line number)

python-pip bundles it's own certifi (and for multiple reasons we don't unbundle stuff from pip) on RHEL 8. We should make sure to apply the same patch.

certifi is a (rather insecure) hack for platforms that don't have a good central location for the root certificates, we should not be using their pem certificate from pip.
Comment 1 Charalampos Stratakis 2018-12-14 00:54:53 UTC 
We'll also need to fix virtualenv

https://github.com/pypa/virtualenv/pull/1252
Comment 2 Miro Hrončok 2018-12-14 12:00:08 UTC 
Created attachment 1514332 [details]
dist git patch for python-virtualenv

I wasn't able to push to my fork.