> On 1 Jun 2017, at 11:18, Antoine Pitrou <solipsis at pitrou.net> wrote: > > On Thu, 1 Jun 2017 20:05:48 +1000 > Chris Angelico <rosuav at gmail.com> wrote: >> >> As stated in this thread, OS-provided certificates are not handled by >> that. For instance, if a local administrator distributes a self-signed >> cert for the intranet server, web browsers will use it, but pip will >> not. > > That's true. But: > 1) pip could grow a config entry to set an alternative or additional CA > path No it can’t. Exporting the Windows or macOS security store to a big file of PEM is a security vulnerability because the macOS and Windows security stores expect to work with their own certificate chain building algorithms. OpenSSL builds chains differently, and disregards some metadata that Windows and macOS store, which means that cert validation will work differently than in the system store. This can lead to pip accepting a cert marked as “untrusted for SSL”, for example, which would be pretty bad. Cory
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4