Open nullSoup opened 7 months ago
dimbleby
commented
7 months ago ... a formal Feature Request ...
it is possible you misunderstand how things get done in poetry. There is no committee evaluating feature requests and scheduling an army of developers to do work: things are implemented because someone who wants them shows up and implements them.
if that is you - be the change you want to see! - I expect a pull request would be welcome
Secrus
commented
7 months ago This is still on my todo list, it's just a matter of priorities and other things having to be done before this could happen. Also a reminder, that truststore is only available on Python 3.10+, so that feature would cover only 60% of our supported Python versions (which lowers the priority of that feature on my list).
nullSoup
commented
7 months ago Appreciate the response. Had no intention to act entitled about feature requests. I would contribute a PR if I had the skills, but unfortunately I couldn’t even figure out how to properly dump the correct certificates from my Windows system certificate store to take advantage of the REQUESTS_CA_STORE environment variable workaround, so coding the feature correctly is probably not something it makes sense to take on personally. I’m just an ordinary fan of the poetry tool for managing my dependencies who got caught with hours of confusion when IT quietly added TLS inspection causing everything to mysteriously break.
It’s a good point about truststore requiring Python 3.10+. I don’t have a technical understanding why the best fix adopted by pip is this extra Python 3.10+ truststore package. I just figured that since the —use-feature=truststore solution was deployed (and worked for me) in pip, it would make sense in poetry as well.
Perhaps better documenting the recommended workaround is a more feasible short term goal? I can certainly write up the procedure to skip certificate verification for PyPI and files.pythonhosted.org. For the life of me, I cannot figure out how to dump all certificates on Windows to make the REQUESTS_CA_BUNDLE solution work, though this seems like the more correct approach.
Issue Kind
Brand new capability
Description
Poetry should have the option or default to pulling certificates from the system certificate store like pip now does with use-feature=truststore. Without this, Poetry is extremely difficult to use in corporate environments with IT systems where TLS inspection breaks the use of the default certificates.
This was already mentioned by @Secrus in https://github.com/orgs/python-poetry/discussions/8729 as in his plans, but I wanted to raise the idea’s profile by making a formal Feature Request after spending half a day struggling with the problem.
Impact
Adding this would make Poetry go from essentially broken behind corporate IT systems to just working for these users.
Workarounds
It is possible to deactivate certificate verification at the cost of extra project setup step, nasty warnings, and confused users. Also theoretically, a manual cert file file can be exported and referenced with the REQUESTS_CA_BUNDLE environment variable. Both solutions are costly and painful. Native Python ssl already defaults to using the system certificate store, and most users would benefit by having something that just works.