mixpanel / mixpanel-python

Official Mixpanel Python library.
https://mixpanel.com/help/reference/python
Other
104 stars 85 forks source link

Use requests rather than urllib3 #103

Closed seizethedave closed 3 years ago

seizethedave commented 3 years ago

I have been doing some research around the cert verification topic, and I came to the following points:

  1. mixpanel-python should strive to work without certificate hassles as much as possible. It is used in a wide variety of environments/servers/personal computers/diff't Python versions/etc.
  2. I asked in the urllib3 discord channel if:
    1. if I should begin to depend on urllib3[secure] rather than plain old urllib3. The answer was "no," as that extra option is being deprecated, and will do kinda "the wrong thing" w/r/t pyOpenSSL.
    2. if I should apply this fix from requests to my project: https://github.com/psf/requests/pull/5443. The answer was "yes," that it would probably help.
    3. if I should explicitly depend on certifi. (Included in urllib3[secure], but we aren't using that.) The answer was "yes." It will remove a lot of variability in root certs in the wild. (And indeed make having a local cert store optional.)

The current recommendation is that on modern Python versions (2.7.9+/3.4+) you're better off using the builtin Python ssl module because there's native SNI support. So that means not installing the [secure] extra and not injecting pyOpenSSL on those versions. It's unfortunate that the old way of doing things was the default for a lot longer than it had to be and that the extra is named "secure", we're paying the distributed tech debt price by removing it as the default and trying to document this better. Let me know if you have more questions :) I think the approach in the PR you mentioned is a good one but might be even better to force users to at least install Python 2.7.9+. Versions before that are really really old and insecure.

So I began to add items ii and iii to mixpanel-python. But then realized requests does both of those OOTB, and does a bunch of other sniffing around certifi/default certs/unzipping cert bundles/overriding certifi/etc. So to support point 1, I am just going to use requests.