Truststore by default

[sethmlarson]

Follow up to #11082 which makes truststore w/ certifi the default behavior on Python 3.10+. This behavior can be opted-out of in favor of old behavior with --use-feature=no-truststore.

TODO:

• Add a NEWS entry
• Update documentation with the new situation and feature
• Add more tests? Unsure how I can test that truststore isn't used when no-truststore is specified.

cc @davisagli @pradyunsg @uranusjr

[pypa-bot]

Hello!

I am an automated bot and I have noticed that this pull request is not currently able to be merged. If you are able to either merge the master branch into this pull request or rebase this pull request against master then it will eligible for code review and hopefully merging!

[uranusjr]

Is it possible to do better detection? OSError seems too coarse.

[sethmlarson]

Right now truststore raises an OSError when the macOS APIs that we need aren't available (ie macOS 10.8). Maybe we can change that error to ImportError instead? cc @davisagli

[davisagli]

@sethmlarson Or maybe a custom subclass of ImportError or OSError? It'd be nice to be able to distinguish between an expected condition (not supported) and an ImportError due to something being messed up with the installation of the vendored package.

[sethmlarson]

So @davisagli and I discussed this and unfortunately because this has to happen at import time we couldn't go the route of a custom exception, so we decided to standardize on raising an ImportError whenever the module can't support the current platform/Python version (currently only macOS 10.7 and earlier raise this error).

Hope this works for you, let me know your thoughts.

[sethmlarson]

@uranusjr Thanks for the review, just to double-check, I didn't add any new tests but because this is the new default behavior I figured this would be okay? Let me know if there is any work to be done outside this PR to prepare for this change (I'll likely write a blog post, but happy to help elsewhere too!)

[uranusjr]

I imagine it may be difficult to test this in any case since the feature relies on system configuration by nature. I’m tentitively adding this to 23.1 but the RM has a final say.

[pfmoore]

This doesn't seem to be following our normal transition policy. In particular, our documentation notes that legacy features enabled by a --use-legacy flag "should always include a warning that indicates when the feature is scheduled to be removed". And there isn't one here. (Also, as this is only enabled when Python 3.10 is available, "legacy certificates" won't get removed until we desupport Python 3.9, so it's hardly "legacy" in the sense we normally use the term...)

Furthermore, users who will see a change in behaviour when this gets enabled will have seen no advance warning that it's coming, and will have had no indication that they may need to test or make changes to their certificate handling. My impression is that this is intended to simply add extra ways that a certificate could be treated as valid, so it shouldn't break anything that works right now, but how sure are we of that? People do crazy things...

I suspect very few people will have tried the new feature yet, as it requires installing a support module and enabling an opt-in flag. So I'd consider the new functionality mostly "untried" at this point. I know it's hard to get people to test new stuff, but can we not at least do something to publicise the change in advance?

Sorry, but I'm going to reject this for 23.1, on the basis that the transition process needs a bit more work, and I don't want that to be rushed just to get the feature into 23.1.

I'm open to arguments to reconsider, but they'll need to be based around explanations of how the current approach is safer than I think it is, not around how we can improve the PR (which will be a fine approach, but not for 23.1)

[sethmlarson]

Thanks for your review and detailed thought process @pfmoore! I agree on your reasoning for not including this in 23.1. I had a few questions on how best to proceed:

I suspect very few people will have tried the new feature yet, as it requires installing a support module and enabling an opt-in flag. So I'd consider the new functionality mostly "untried" at this point. I know it's hard to get people to test new stuff, but can we not at least do something to publicise the change in advance?

Agreed, I'm thinking for 23.1 we could:

• Vendor truststore 0.7.0 as we've proposed here to avoid the install
• Start emitting a warning asking for opt-in for Python 3.10+?

Then we can start getting a lot more feedback and hopefully be more confident with this change being purely additive. Do you agree with this approach, and if so I can rapidly create a PR to meet 23.1?

Also, as this is only enabled when Python 3.10 is available, "legacy certificates" won't get removed until we desupport Python 3.9, so it's hardly "legacy" in the sense we normally use the term...

Since this change should be additive for Python 3.10+ compared to Python 3.9 and earlier, do you see it being necessary to have Python 3.9 support removed before Python 3.10+ would always have this new behavior? In my mind, Python 3.9 and earlier wouldn't be dependent on this change moving forward.

[pfmoore]

I'm not particularly familiar with the use cases involved here, so I'm not the best person to comment - hopefully @uranusjr can help out.

One question I do have - is truststore now considered stable? In other words, are we safe to vendor it on the assumption that any issues (which have the potential to be security issues, I guess) will be handled via our usual "please report to the vendored project, we'll wait for them to issue a fix and then pick that up in our routine revendoring at our next scheduled release"? I ask because #11082 deliberately didn't vendor for this reason, and the release cadence still seems pretty fast to me.

I don't like the idea of an "always on" warning nagging people to use a new feature that may have no value to them. At least I assume that for a lot of people it will have no value - I've personally never had a problem because pip uses certifi rather than the system store. What are the target users for this feature, in fact? Presumably it's groups with custom indexes whose certificate is in the system store (managed corporately somehow) who are currently using a dedicated certificate file and who could drop it if they used the system store? So they have a bit of management overhead that they'd be glad to get rid of?

Conversely, what are the potential failure cases here? How could switching to use the system store cause something to fail that is currently working? Presumably one case would be "certificate expires and corporate are slow updating the system store"? If it's not obvious, I'm not a security specialist, so if these are dumb scenarios, feel free to ignore them and tell me what would be good ones. My concern here is people screaming "you broke my build pipeline" because there was a behaviour change that we hadn't told them about. Those people are typically the same ones who claim that adding an opt-out flag to all of their jobs isn't practical¹.

Agreed, I'm thinking for 23.1 we could:

• Vendor truststore 0.7.0 as we've proposed here to avoid the install
• Start emitting a warning asking for opt-in for Python 3.10+?

I'll be honest, given that 23.1 is due at the end of this week, this still feels too much like trying to work out a solution under time pressure to me. I'm still inclined to say let's do nothing in 23.1 and get a proper plan in place after 23.1, so that it's ready to go in good time for 23.2 (and 23.3, if it needs a phased approach, as I feel it probably does).

Footnotes

1. I'm not sure I believe the situation is as dire as it's often painted, but I'm not willing to fight that battle over this change in particular... ↩

[pfmoore]

As there has been no further comments on this, I'm moving it to the 23.2 milestone.

[pfmoore]

There's been nothing further on this, and 23.2 is probably under a month away. @sethmlarson do you have any thoughts on how to proceed, or should we consider moving this to 23.3? I'm not (yet...) the RM for 23.3, but I'd be concerned about having this land at the last minute, just before a release. I know we don't do formal betas, but I still think it's better to get large features in earlier in the release cycle rather than later.

[sethmlarson]

@pfmoore Hey Paul, I agree that trying to get this PR in in it's current state wouldn't be a good idea. Apologies for not getting back to you sooner on this one.

One question I do have - is truststore now considered stable? In other words, are we safe to vendor it on the assumption that any issues (which have the potential to be security issues, I guess) will be handled via our usual "please report to the vendored project, we'll wait for them to issue a fix and then pick that up in our routine revendoring at our next scheduled release"? I ask because #11082 deliberately didn't vendor for this reason, and the release cadence still seems pretty fast to me.

I consider it so, the core functionality (and everything that pip would need) is working and we've received no complaints so far with modest usage. I can throw together a PR that only vendors the project and removes the installation instruction from the documentation if you're still okay with this approach.

Conversely, what are the potential failure cases here? How could switching to use the system store cause something to fail that is currently working?

In the general case switching from "certifi is trust store" to "system trust store with certifi supplementing" shouldn't have an impact on folks since the same root to leaf chains should be . I'm sure there are ways that users could get in trouble, like if the system trust store could be configured to avoid supplemental CAs or something like that but I'm not familiar with all the configuration options available on Windows and macOS to know what's possible here.

What are the target users for this feature, in fact?

In addition to all the benefits of an OS trust store over a static trust store, this change is part of an effort to put Python more in line with other ecosystems where the system trust store is used instead of a trust store that's distributed+updated+managed "out-of-band" compared to all other software on the system.

From the PEP 543 rationale on "why system trust stores":

Relying on certifi is less than ideal, as most system administrators do not expect to receive security-critical software updates from PyPI. Additionally, it is not easy to extend the certifi trust bundle to include custom roots, or to centrally manage trust using the certifi model.

Even in situations where the system certificate stores are made available to OpenSSL in some form, the experience is still sub-standard, as OpenSSL will perform different validation checks than the platform-native TLS implementation. This can lead to users experiencing different behaviour on their browsers or other platform-native tools than they experience in Python, with little or no recourse to resolve the problem.

[ichard26]

@sethmlarson the 24.2 development period has started. Probably good time to update this PR (at least to pull in the CI fixes).

[ichard26]

(kicking CI... fingers crossed)

[ichard26]

I think the docs could be even a bit clearer, but otherwise LGTM. Thank you!

[ichard26]

Just curious, what's the purpose of this addition?

[sethmlarson]

This change was done to ensure that this change is backwards compatible, so now instead of only using certifi the trust store is the union of certifi and the system trust store.

[ichard26]

Fair enough. I was just confused AFAIU the codebase already falls back to certifi even without this line, but maybe that's not --use-feature=truststore did. 👍

[ichard26]

Windows CI is failing due to flaky tests I introduced earlier. They should be fixed once #12839 is merged. Sorry about the trouble!

[pradyunsg]

Oh fun. It obviously doesn't sign commits made on the web UI for others.

[sethmlarson]

@pradyunsg Looks like the rebase has a passing test suite, ready to merge whenever :)

[ichard26]

Thank you for the patience, and congratulations on the merge @sethmlarson. 🎉