Bug 1655253 - pip and pipenv are using bundled certifi and a bundled root certificate
Summary: pip and pipenv are using bundled certifi and a bundled root certificate
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: python-pip
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miro Hrončok
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1655255 1659440 1659550 1659551
TreeView+ depends on / blocked
 
Reported: 2018-12-01 23:25 UTC by Miro Hrončok
Modified: 2019-01-04 16:49 UTC (History)
10 users (show)

Fixed In Version: python-pip-18.1-2.fc30, pipenv-2018.11.26-2.fc30
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1655255 (view as bug list)
Environment:
Last Closed: 2019-01-04 16:49:17 UTC
Type: Bug


Attachments (Terms of Use)

Description Miro Hrončok 2018-12-01 23:25:48 UTC
In the Fedora's python-certifi package, we patch the logic to not use the bundled root certificate, but the system one instead:

https://src.fedoraproject.org/rpms/python-certifi/blob/master/f/certifi-2018.10.15-use-system-cert.patch

https://src.fedoraproject.org/rpms/python-certifi/blob/f27/f/python-certifi.spec#_71 (using f27 branch here to have a stable line number)

python-pip bundles it's own certifi (and for multiple reasons we don't unbundle stuff from pip), pipenv bundles a patched version of pip. We should make sure to apply the same patch in both.

certifi is a (rather insecure) hack for platforms that don't have a good central location for the root certificates, we should not be using their pem cerificate from pip or pipenv.

Comment 2 Charalampos Stratakis 2018-12-12 15:36:29 UTC
What's the status of that?

Comment 3 Miro Hrončok 2018-12-12 19:09:16 UTC
The PR broke virtualenv. I've fixed it upstream. Needs backport. If you'd like to help, propose a Fedora python-virtualenv PR. Or I'll get to it tomorrow.

Details in:

https://src.fedoraproject.org/rpms/python-pip/pull-request/21

And

https://github.com/pypa/virtualenv/pull/1252


Note You need to log in before you can comment on or make changes to this bug.