Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SSL_CERT_DIR and SSL_CERT_FILE to the default for [subprocess-environment].env_vars #14808

Merged
merged 3 commits into from
Mar 16, 2022

Conversation

Eric-Arellano
Copy link
Contributor

As explained at pex-tool/pex#1674 and discussed in https://pantsbuild.slack.com/archives/C0D7TNJHL/p1647388552764289, Python's ssl std-lib looks to SSL_CERT_FILE when it is not explicitly told what cert to load. Pex's lockfile consumption uses that code path, so by Pants stripping SSL_CERT_FILE from the environment by default, certs fail to work in certain environments.

pex-tool/pex#1674 proposes instead teaching Pex to bundle fallback certs via certifi. But we can't control other ecosystems as tightly as Pex like that, so we decided in Slack it makes more sense for us to by default propagate SSL_CERT_FILE so that by default things Just Work.

As before, users can override [GLOBAL].ca_certs_path if they don't want to rely on the SSL_CERT_FILE fallback.

Note that there is some remote caching downside to including SSL_CERT_FILE in the default: if the value diverges between machines, then the cache cannot be used. Because this env var seems to be standard with OpenSSL, that's fine. Also, admins trying to optimize cross-machine cache hits can always remove this setting.

# Rust tests and lints will be skipped. Delete if not intended.
[ci skip-rust]

# Building wheels and fs_util will be skipped. Delete if not intended.
[ci skip-build-wheels]
@Eric-Arellano Eric-Arellano merged commit c5ca49e into pantsbuild:main Mar 16, 2022
@Eric-Arellano Eric-Arellano deleted the ssl-file branch March 16, 2022 21:04
stuhood added a commit to stuhood/pants that referenced this pull request Jun 24, 2022
# Rust tests and lints will be skipped. Delete if not intended.
[ci skip-rust]
stuhood added a commit to stuhood/pants that referenced this pull request Jun 24, 2022
[ci skip-rust]
[ci skip-build-wheels]
stuhood added a commit that referenced this pull request Jun 25, 2022
stuhood added a commit to stuhood/pants that referenced this pull request Jun 28, 2022
stuhood added a commit to stuhood/pants that referenced this pull request Jun 28, 2022
stuhood added a commit to stuhood/pants that referenced this pull request Jun 28, 2022
stuhood added a commit that referenced this pull request Jun 28, 2022
…ck of #15943) (#15972)

See #14808.

[ci skip-rust]
[ci skip-build-wheels]
stuhood added a commit that referenced this pull request Jun 28, 2022
…ck of #15943) (#15973)

See #14808.

[ci skip-rust]
[ci skip-build-wheels]
stuhood added a commit that referenced this pull request Jun 28, 2022
…ck of #15943) (#15974)

See #14808.

[ci skip-rust]
[ci skip-build-wheels]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants