[scl.org] [PATCH] Make rh-python36-python-pip use system ca cert trust (vs embedded)

James Flemer james.flemer at ndpgroup.com
Fri Apr 17 22:30:13 UTC 2020


Hi All,

I hope this is an appropriate channel for patch submissions. Here is a
patch that mirrors the base "python3-pip" approach to use the system CA
cert trust file, rather than the one that gets embedded into pip via the
Requests/Certifi packages. This is preferable because it lets pip pickup
locally administered CA trust (e.g. certs issued by an internal CA). This
helps immensely when running a private secure pip/pypy repo!

This should be testable by comparing the output of these two commands:
scl enable rh-python36 'python -mpip._vendor.requests.certs'
python3 -mpip._vendor.requests.certs

The output if pip is using bundled certs is something like:
/opt/rh/rh-python36/root/usr/lib/python3.6/site-packages/pip/_vendor/requests/cacert.pem
versus system certs:
/etc/pki/tls/certs/ca-bundle.crt

A similar patch could probably be applied to prior SCL python (3.[345]).
But I hope by getting it in 3.6, it will walk forward for 3.7+.

The attached patch is public domain.

attached: 0001-include-patch-from-python-pip-for-system-CA-cert-tru.patch

Regards,

James Flemer

NDP
1909 26th Street, Suite 1E
Boulder, Colorado 80302
Office: 720-897-7334
Cell: 970-217-3204
james.flemer at ndpgroup.com
www.ndpgroup.com

-- 
Confidential, proprietary, and/or 
privileged information may be contained 
in, and attached to, this 
message.  The information transmitted is 
intended only for the 
individual or entity to which it is addressed.  Any 
review, 
retransmission, dissemination or other use of, or taking of any 
action 
in reliance upon this information in this transmission by persons 
or 
entities other than the intended recipient(s) is prohibited. If you 

received this transmission in error, please immediately contact the 
sender 
and delete the material from all computers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/sclorg/attachments/20200417/10f94aea/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-include-patch-from-python-pip-for-system-CA-cert-tru.patch
Type: application/x-patch
Size: 2733 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/sclorg/attachments/20200417/10f94aea/attachment.bin>


More information about the SCLorg mailing list