Bug 1659440

Summary: pip is using bundled certifi and a bundled root certificate
Product: Red Hat Enterprise Linux 8 Reporter: Charalampos Stratakis <cstratak>
Component: python27-2.7-moduleAssignee: Charalampos Stratakis <cstratak>
Status: CLOSED CURRENTRELEASE QA Contact: Anna Khaitovich <akhaitov>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: hhorak, jkejda, torsava
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python2-pip-9.0.3-12.module+el8+2540+b19c9b35 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1655255 Environment:
Last Closed: 2019-06-14 01:20:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1655253, 1655255, 1659550, 1659551    
Bug Blocks:    

Description Charalampos Stratakis 2018-12-14 11:36:05 UTC 
+++ This bug was initially created as a clone of Bug #1655255 +++

+++ This bug was initially created as a clone of Bug #1655253 +++

In the Fedora's python-certifi package, we patch the logic to not use the bundled root certificate, but the system one instead:

https://src.fedoraproject.org/rpms/python-certifi/blob/master/f/certifi-2018.10.15-use-system-cert.patch

https://src.fedoraproject.org/rpms/python-certifi/blob/f27/f/python-certifi.spec#_71 (using f27 branch here to have a stable line number)

python-pip bundles it's own certifi (and for multiple reasons we don't unbundle stuff from pip) on RHEL 8. We should make sure to apply the same patch.

certifi is a (rather insecure) hack for platforms that don't have a good central location for the root certificates, we should not be using their pem certificate from pip.

--- Additional comment from Charalampos Stratakis on 2018-12-14 01:54:53 CET ---

We'll also need to fix virtualenv

https://github.com/pypa/virtualenv/pull/1252
Comment 2 Anna Khaitovich 2019-01-28 13:18:08 UTC 
$ rpm -qa python2-pip
python2-pip-9.0.3-12.module+el8+2540+b19c9b35.noarch

$ rpm -q --provides python2-pip
bundled(python2dist(appdirs)) = 1.4.0
bundled(python2dist(cachecontrol)) = 0.11.7
bundled(python2dist(chardet)) = 2.3.0
bundled(python2dist(colorama)) = 0.3.7
bundled(python2dist(distlib)) = 0.2.4
bundled(python2dist(distro)) = 1.0.1
bundled(python2dist(html5lib)) = 1.0b10
bundled(python2dist(ipaddress) = 1.0.17
bundled(python2dist(lockfile)) = 0.12.2
bundled(python2dist(packaging)) = 16.8
bundled(python2dist(progress)) = 1.2
bundled(python2dist(pyparsing)) = 2.1.10
bundled(python2dist(requests)) = 2.11.1
bundled(python2dist(retrying)) = 1.3.3
bundled(python2dist(setuptools)) = 28.8.0
bundled(python2dist(six)) = 1.10.0
bundled(python2dist(urllib3)) = 1.16
bundled(python2dist(webencodings)) = 0.5
python2-pip = 9.0.3-12.module+el8+2540+b19c9b35
python2.7dist(pip) = 9.0.3
python2dist(pip) = 9.0.3