[issue36344] install_certificates.command too complicated, copy from pip's dir instead

[Dmitrii Pasechnik]

Dmitrii Pasechnik  added the comment:

The script install_certificates.command depends upon pip, it calls pip to 
install certifi. Thus it's no less "optional" than pip.

And pip is only functional, and it able to do the installation in question,  
due to it including the certificate in question.

The role of this script is fishy from security point of view, too. 
Why not simply putting the certificate right where it belongs to, i.e. not just 
simplify install_certificates.command, but simply get rid of it?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36344] install_certificates.command too complicated, copy from pip's dir instead

[Ned Deily]

Ned Deily  added the comment:

Thanks for the suggestion but that is not a workable solution for two reasons. 
One, pip is an optional install with the python.org installer so we cannot 
depend on it being available.  More importantly, from a packaging point of 
view, the internal composition of pip is opaque.  There's no guarantee that any 
future release of pip will still bundle root certificates, that they will be 
installed in the same location, or which root certificates will be included and 
how up-to-date they are. Pip uses the certificates primarily to access PyPI, 
not to provide a general set of root certificates.  The current python.org 
solution of providing the Install Certificates script as an example is 
certainly far from ideal and we will improve it.  But adding a dependency on 
undocumented behavior of pip is not a step in the right direction.

--
resolution:  -> rejected
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36344] install_certificates.command too complicated, copy from pip's dir instead

[Dmitrii Pasechnik]

New submission from Dmitrii Pasechnik :

Currently (e.g. on the released Python 2.7.16) 
Mac/BuildScript/resources/install_certificates.command does install certifi 
module from the net and symlinks its cacert.pem to provide openssl with a 
working certificate. The same task may be accomplished much easier, by 
symlinking pip's cacert.pem, as follows (just shell commands, for the purposes 
of demonstration)

cd local/openssl
rm -f local/openssl/cert.pem
ln -s ../lib/python2.7/site-packages/pip/_vendor/certifi/cacert.pem cert.pem 

This works as pip's cacert.pem contains the same certificate as the one 
provided by unvendored certifi (as can be seen by looking at it using "openssl 
x509 -in ..." on it).

I'd be happy to provide a PR if this is acceptable.

--
components: macOS
messages: 338211
nosy: dimpase, ned.deily, ronaldoussoren
priority: normal
severity: normal
status: open
title: install_certificates.command too complicated,  copy from pip's dir 
instead
type: enhancement
versions: Python 2.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com