Hi All,
I hope this is an appropriate channel for patch submissions. Here is a
patch that mirrors the base "python3-pip" approach to use the system CA
cert trust file, rather than the one that gets embedded into pip via the
Requests/Certifi packages. This is preferable because it lets pip pickup
locally administered CA trust (e.g. certs issued by an internal CA). This
helps immensely when running a private secure pip/pypy repo!
This should be testable by comparing the output of these two commands:
scl enable rh-python36 'python -mpip._vendor.requests.certs'
python3 -mpip._vendor.requests.certs
The output if pip is using bundled certs is something like:
/opt/rh/rh-python36/root/usr/lib/python3.6/site-packages/pip/_vendor/requests/cacert.pem
versus system certs:
/etc/pki/tls/certs/ca-bundle.crt
A similar patch could probably be applied to prior SCL python (3.[345]).
But I hope by getting it in 3.6, it will walk forward for 3.7+.
The attached patch is public domain.
attached: 0001-include-patch-from-python-pip-for-system-CA-cert-tru.patch
Regards,
James Flemer
NDP
1909 26th Street, Suite 1E
Boulder, Colorado 80302
Office: 720-897-7334
Cell: 970-217-3204
james.fle...@ndpgroup.com
www.ndpgroup.com
--
Confidential, proprietary, and/or
privileged information may be contained
in, and attached to, this
message. The information transmitted is
intended only for the
individual or entity to which it is addressed. Any
review,
retransmission, dissemination or other use of, or taking of any
action
in reliance upon this information in this transmission by persons
or
entities other than the intended recipient(s) is prohibited. If you
received this transmission in error, please immediately contact the
sender
and delete the material from all computers.
From 36f6069128150b2724d40d045cb6a95a5a36de1d Mon Sep 17 00:00:00 2001
From: "James E. Flemer" <james.flemer@ndpgroup.com>
Date: Thu, 16 Apr 2020 16:22:40 +0000
Subject: [PATCH] include patch from python-pip for system CA cert trust
---
SOURCES/dummy-certifi.patch | 13 +++++++++++++
SPECS/python-pip.spec | 14 +++++++++++++-
2 files changed, 26 insertions(+), 1 deletion(-)
create mode 100644 SOURCES/dummy-certifi.patch
diff --git a/SOURCES/dummy-certifi.patch b/SOURCES/dummy-certifi.patch
new file mode 100644
index 0000000..4afc3d8
--- /dev/null
+++ b/SOURCES/dummy-certifi.patch
@@ -0,0 +1,13 @@
+--- pip-9.0.1/pip/_vendor/requests/certs.py 2016-11-06 18:49:45.000000000 +0000
++++ dummy-certifi/pip/_vendor/requests/certs.py 2020-04-16 12:48:44.206090267 +0000
+@@ -18,8 +18,8 @@
+ except ImportError:
+ def where():
+ """Return the preferred certificate bundle."""
+- # vendored bundle inside Requests
+- return os.path.join(os.path.dirname(__file__), 'cacert.pem')
++ # system CA certs
++ return '/etc/pki/tls/certs/ca-bundle.crt'
+
+ if __name__ == '__main__':
+ print(where())
diff --git a/SPECS/python-pip.spec b/SPECS/python-pip.spec
index d6dbcb7..94b2fd8 100644
--- a/SPECS/python-pip.spec
+++ b/SPECS/python-pip.spec
@@ -15,7 +15,7 @@
Name: %{?scl_prefix}python-%{srcname}
Version: 9.0.1
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: A tool for installing and managing Python packages
Group: Development/Libraries
@@ -24,6 +24,10 @@ URL: http://www.pip-installer.org
Source0: https://files.pythonhosted.org/packages/source/p/pip/%{srcname}-%{version}.tar.gz
Patch0: allow-stripping-given-prefix-from-wheel-RECORD-files.patch
+# Use the system level root certificate instead of the one bundled in certifi
+# https://bugzilla.redhat.com/show_bug.cgi?id=1655253
+Patch1: dummy-certifi.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
@@ -47,6 +51,11 @@ easy_installable should be pip-installable as well.
%setup -q -n %{srcname}-%{version}
%patch0 -p1
+%patch1 -p1
+
+# this goes together with patch1
+rm pip/_vendor/*/*.pem
+sed -i '/\.pem$/d' pip.egg-info/SOURCES.txt
%{__sed} -i '1d' pip/__init__.py
%{?scl:EOF}
@@ -88,6 +97,9 @@ pip3 install -I dist/%{python3_wheelname} --root %{buildroot} --strip-file-prefi
%{python3_sitelib}/pip*
%changelog
+* Thu Apr 16 2020 James E. Flemer <james.flemer@ndpgroup.com> - 9.0.1-3
+- include patch from python-pip for system CA cert trust
+
* Wed Jun 14 2017 Charalampos Stratakis <cstratak@redhat.com> - 9.0.1-2
- Rebuild as wheel
--
1.8.3.1
_______________________________________________
SCLorg mailing list
SCLorg@redhat.com
https://www.redhat.com/mailman/listinfo/sclorg
