[PATCH STABLE] sslutil: guard against broken certifi installations (issue5406)

Yuya Nishihara yuya at tcha.org
Thu Oct 20 11:32:40 EDT 2016


On Wed, 19 Oct 2016 18:07:01 +0000, Gábor STEFANIK wrote:
> > >> You've gone from catching an ImportError to swallowing all exceptions.
> > >
> > > Intentional. ImportError is not the only thing that can be thrown
> > > here; e.g. if "certifi" is actually some unrelated module with no "where()"
> > method.
> > >
> > > No reason to let certifi crash Hg under any circumstances.
> >
> > I have a hard time imagining how another module named "certifi" without a
> > where() method would show up on any sane system.
> >
> > As Greg said, bare `except:` is banned in Mercurial. Catch the exceptions you
> > expect might happen, none others.
> 
> Would "except Exception:" be acceptable? that one doesn't catch KeyboardInterrupt and other problematic exceptions.

ui.debug() might raise IOError. I would catch AttributeError instead.

  try:
      import certifi
      certs = certifi.where()
  except (AttributeError, ImportError):
      pass
  else:
      ui.debug('using ca certificates from certifi\n')
      return certs

And you'll need to update the comment added at a62c00f6dd04 since we'll have
more fallback cases.


More information about the Mercurial-devel mailing list