Changeset 012af22

Timestamp:

12/01/2022 08:18:33 PM (4 months ago)

Author:

Ken Moffat <ken@…>

Branches:

11.3, ken/inkscape-core-mods, plabs/python-mods, qt5new, trunk

Children:

faf21451

Parents:

5a8c6008

Message:

Explain how to use system certificates with python3.

Files:

• introduction/welcome/changelog.xml (modified) (1 diff)
• postlfs/security/make-ca.xml (modified) (1 diff)

introduction/welcome/changelog.xml

@@ -40 +40 @@
     -->
     <listitem>
+      <para>December 1st, 2022</para>
+      <itemizedlist>
+        <listitem>
+          <para>[ken] - Add page explaining how to use the system CA
+          Certificates with the vendored Python pip installed in LFS. Fixes
+          <ulink url="&blfs-ticket-root;17354">#17354</ulink>.</para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+
+    <listitem>
       <para>November 30th, 2022</para>
       <itemizedlist>

postlfs/security/make-ca.xml

@@ -275 +275 @@
   </sect2>
 
+  <sect2 role="configuration" id="make-ca-python">
+    <title>Using make-ca with Python3</title>
+
+    <para>
+      When <application>Python3</application> was installed in LFS it included
+      the <application>pip3</application> module with vendored certificates
+      from the <application>Certifi</application> module. That was necessary,
+      but it means that whenever <command>pip3</command> is used it can reference
+      those certificates, primarily when creating a virtual environment or when
+      installing a module with all its wheel dependencies in one go.
+    </para>
+
+    <para>
+      It is generally considered that the System Administrator should be in
+      charge of which certificates are available. Now that <xref
+      linkend="make-ca"/> and <xref linkend="p11-kit"/> have been installed and
+      <application>make-ca</application> has been configured, it is possible to
+      make <command>pip3</command> use the system certificates.
+    </para>
+
+    <para>
+      The vendored certificates installed in LFS are a snapshot from when the
+      pulled-in version of <application>Certifi</application> was created. If
+      you regularly update the system certificates, the vendored version will
+      become out of date.
+    </para>
+
+    <para>
+      To use the system certificates in <application>Python3</application> you
+      should set <envar>_PIP_STANDALONE_CERT</envar> to point to them, e.g for
+      the <application>bash</application> shell:
+    </para>
+
+<screen><userinput>export _PIP_STANDALONE_CERT=/etc/pki/tls/certs/ca-bundle.crt</userinput></screen>
+
+    <warning>
+      <para>
+        If you have created virtual environments, for example when testing modules,
+        and those include the <application>Requests</application> and
+        <application>Certifi</application> modules in <filename
+        class="directory">~/.local/lib/python3.11/</filename> then those local
+        modules will be used instead of the system certificates unless you
+        remove the local modules.
+      </para>
+    </warning>
+
+    <para>
+      To use the system certificates in <application>Python3</application> with
+      the BLFS profiles add the following variable to your system or personal
+      profiles:
+    </para>
+
+<screen role="root"><userinput>
+cat &gt; /etc/profile.d/pythoncerts.sh &lt;&lt; "EOF"
+<literal># Begin /etc/profile.d/pythoncerts.sh
+
+export _PIP_STANDALONE_CERT=/etc/pki/tls/certs/ca-bundle.crt
+
+# End /etc/profile.d/pythoncerts.sh</literal>
+EOF</userinput></screen>
+
+  </sect2>
+
   <sect2 role="content">
     <title>Contents</title>