[PATCH STABLE] sslutil: guard against broken certifi installations (issue5406)

Gábor STEFANIK Gabor.STEFANIK at nng.com
Wed Oct 19 13:07:30 EDT 2016 

>


--------------------------------------------------------------------------
This message, including its attachments, is confidential. For more information please read NNG's email policy here:
http://www.nng.com/emailpolicy/
By responding to this email you accept the email policy.


-----Original Message-----
> From: Kevin Bullock [mailto:kbullock+mercurial at ringworld.org]
> Sent: Wednesday, October 19, 2016 6:18 PM
> To: Gábor STEFANIK <Gabor.STEFANIK at nng.com>
> Cc: mercurial-devel at mercurial-scm.org
> Subject: Re: [PATCH STABLE] sslutil: guard against broken certifi installations
> (issue5406)
>
> > On Oct 19, 2016, at 11:07, Gábor Stefanik <gabor.stefanik at nng.com>
> wrote:
> >
> > # HG changeset patch
> > # User Gábor Stefanik <gabor.stefanik at nng.com> # Date 1476893174 -7200
> > #      Wed Oct 19 18:06:14 2016 +0200
> > # Branch stable
> > # Node ID 77e20e2892a869717db636f56ab1b9664fc8b285
> > # Parent  e478f11e418288b8308457303d3ddf6a23f874f8
> > sslutil: guard against broken certifi installations (issue5406)
> >
> > Certifi is currently incompatible with py2exe; the Python code for
> > certifi gets included in library.zip, but not the cacert.pem file -
> > and even if it were included, SSLContext can't load a cacert.pem file from
> library.zip.
> > This currently makes it impossible to build a standalone Windows
> > version of Mercurial.
> >
> > Guard against this, and possibly other situations where a module with
> > the name "certifi" exists, but is not usable.
> >
> > diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
> > --- a/mercurial/sslutil.py
> > +++ b/mercurial/sslutil.py
> > @@ -695,9 +695,10 @@
> >     try:
> >         import certifi
> >         certs = certifi.where()
> > -        ui.debug('using ca certificates from certifi\n')
> > -        return certs
> > -    except ImportError:
> > +        if os.path.exists(certs):
> > +            ui.debug('using ca certificates from certifi\n')
> > +            return certs
> > +    except:
>
> You've gone from catching an ImportError to swallowing all exceptions.

Intentional. ImportError is not the only thing that can be thrown here;
e.g. if "certifi" is actually some unrelated module with no "where()" method.

No reason to let certifi crash Hg under any circumstances.

>
> pacem in terris / мир / शान्ति / ‎‫سَلاَم‬ / 平和
> Kevin R. Bullock

More information about the Mercurial-devel mailing list