hundreds-father-404
03/15/2022, 11:55 PMhundreds-father-404
03/15/2022, 11:55 PM[GLOBAL].ca_certs_path
and b) have SSL_CERT_FILE
in your env *but did not tell Pants about it. Consuming a lockfile might give you a certificate issue.
For pantsbuild/pants, this breaks our Linux Build Wheels job which uses the manylinux2014 docker image. Everything else is fine though.
There are 3 solutions from Pants's perspective, I think:
1. Expect users to set [GLOBAL].ca_certs_path
2. Add SSL_CERT_FILE
to the default env vars
3. Change Pex to behave more like pipbitter-ability-32190
03/16/2022, 12:12 AMca_certs_path
to 🙈hundreds-father-404
03/16/2022, 12:13 AMenv
and then copying the value for SSL_CERT_FILE
. But yeah, definitely hundreds-father-404
03/16/2022, 12:17 AMcertifi
is a sensible fallback. Problem solvedhundreds-father-404
03/16/2022, 4:38 PMcertifi
is not perfect.
It doesn't help us address how we handle other language integrations like Go & JS that need certs. Not guaranteed we can have those integrations embed their own root certs via something like `certifi`; even if they could:
having every vertical embed its own root cert bundle of varying birth date & pedigree is ... clearly not awesome.Which would suggest we consider options 1 or 2. -- cc @happy-kitchen-89482 @witty-crayon-22786 @bitter-ability-32190, thoughts? This reminds me of the discussion at https://github.com/pantsbuild/pants/issues/14281 on Pants lockfile headers: how much to unify a solution vs deal with things on a per-language ecosystem.
hundreds-father-404
03/16/2022, 4:44 PMSSL_CERT_FILE
to the default env is reasonable, user-friendly, and easy to implement. I think my vote is for thatwitty-crayon-22786
03/16/2022, 4:48 PMoption.remove =
hundreds-father-404
03/16/2022, 4:56 PMHTTPS_PROXY
and HTTP_PROXY
by default?bitter-ability-32190
03/16/2022, 5:03 PMwitty-crayon-22786
03/16/2022, 5:04 PMPATH
though. see https://github.com/pantsbuild/pants/issues/12203witty-crayon-22786
03/16/2022, 5:05 PMwitty-crayon-22786
03/16/2022, 5:06 PMwitty-crayon-22786
03/16/2022, 5:07 PMwitty-crayon-22786
03/16/2022, 5:07 PMcurved-television-6568
03/16/2022, 6:38 PMinfo
goal, to help identify settings that are potential cache “hotspots” if we accumulate more of these default settings that may have a negative impact on performance due to cache misses in favour of usability.curved-television-6568
03/16/2022, 6:42 PMsettings I don’t quite understand (option 1)(this is perhaps not the place, but) the
ca_cert_path
, or SSL_CERT_FILE
etc, what all these options do, is to allow providing your own set of certificates (root certs, sub ca certs etc) to support communicating securely with servers that have custom/in house created certificates, and thus won’t work with only the officially provided certificate bundles.curved-television-6568
03/16/2022, 6:43 PMhappy-kitchen-89482
03/16/2022, 7:12 PMhappy-kitchen-89482
03/16/2022, 7:12 PMhappy-kitchen-89482
03/16/2022, 7:14 PMhappy-kitchen-89482
03/16/2022, 7:15 PMwitty-crayon-22786
03/16/2022, 7:15 PMhappy-kitchen-89482
03/16/2022, 7:15 PMhundreds-father-404
03/16/2022, 7:16 PMArguably if you don't need it, it won't be set in your environment, I guessExactly this. Note that our Linux and macOS jobs were all fine because they don't set SSL_CERT_FILE. It was only the manylinux2014 docker image
witty-crayon-22786
03/16/2022, 7:16 PMHTTPS_PROXY
would be more likely to be set differently on different hosts: particularly laptops. but maybe i don’t understand how it is used.happy-kitchen-89482
03/16/2022, 7:19 PMcurved-television-6568
03/16/2022, 7:24 PMor at least not by defaultOr, it’s a list of env vars to consider for the fingerprint. So you can have those that potentially affect the resulting data of the Process included, like PATH, while those that are only used to facilitate the execution to function, like ssl and proxy settings to be excluded.