While hacking on Anitya yesterday, an idea occurred to me that may help
address the SSL/TLS cert bundling problem in a way that doesn't require
patching of modules and hence can be made compatible with virtual
environments.
Specifically, I had the idea of adding a new "--symlink
<file-pattern>@<link-target>" option to pip, such that you could do
things
like:
"pip install -r requirements.txt --symlink cacerts.txt@
/etc/pki/tls/certs/ca-bundle.crt"
to replace any file called "cacerts.txt" in the packages being installed
with a symlink to "/etc/pki/tls/certs/ca-bundle.crt" instead (cacerts.txt
is the name httplib2 uses for its cert bundle).
Since we patch `python3-certifi` to use the system bundle, and running
`certifi` as a script prints the location of the cert bundle it is using,
that would mean you could do things like:
sudo dnf install python3-certifi
python -m pip install requests --symlink cacert.pem@`/usr/bin/python3
-m certifi`
and end up with an *unpatched* requests in the virtual environment that was
nevertheless still using the system certificate store.
I filed that idea on the pip issue tracker at
https://github.com/pypa/pip/issues/4197 but figured I should raise it here
as well, as if something like this was added, then Fedora could be updated
to use a standard symlink map when building RPMs, and the developer portal
could be updated with suggest `pip.conf` settings to use the system cert
bundle by default.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan(a)gmail.com | Brisbane, Australia