Use cacert.pem from certifi 2024.7.4.
#14
Conversation
This allows updating Pex's vendored Pip with the latest CA certs from certifi without updating Pip's vendored certifi code otherwise. This is useful since certifi has dropped support for Pythons Pex supports, but the `cacert.pem` file it uses has a stable format across all certifi versions.
|
This looks reasonable from an implementation and security standpoint as well. Valid point with regards to compatibility limitations with older python interpreter versions in my implementation in #12. |
|
@gs-kamnas thanks for prompting this long overdue refresh. I'm sorry I didn't notice your PR until just a few days ago! Pex vendored this old Pip a good while ago and so I ~never look back here, but was prompted by the fix for statically compiled CPython support. @benjyw I've tested this out over in a Pex branch and the comment I add at the top of the cacert.pem causes no issues; so I'll submit and fire up a Pex change to get out this security fix. |
|
Appears that the testsuite also requires making calls to Git as part of execution. Therefore certifi/refresh-cacert.pem...gs-kamnas:pex-pip:certifi/refresh-cacert.pem may help with a few of the testcases that are presently failing. |
|
@gs-kamnas - yeah - these are the Pip projects CI setups which I haven't tried to get / keep working in the fork. My ground truth CI for any edits I make in this branch are back in pex-tool/pex where it heavily exercises Pip 20.3.4+patched (its vendored Pip that comes from this branch). |
|
Ok, this is being used in pex-tool/pex#2476 |
Add
nox -e update-certifi-cacert-pemand run it to refresh Pip'svendored certifi with the latest CA certs that should be trusted.
CF #12 by @gs-kamnas that prompted this.