https://bugzilla.novell.com/show_bug.cgi?id=761501
https://bugzilla.novell.com/show_bug.cgi?id=761501#c23
--- Comment #23 from Ludwig Nussel
This doesn't matter one way or the other. The real problem is that certificate validation is *turned off by default* - the cert_reqs argument is set to ssl.CERT_NONE. Unless explicitly set to CERT_REQUIRED or CERT_OPTIONAL, the cert store is completely ignored - and if it is set, ca_certs must also be set to a correct path.
IOW, literally no packages are affected in any way by whether we load the default cert store. Either they are insecure, and will continue to be insecure, or they are already supplying their own cert bundles.
Correct. We're trying to address the latter for a start.
Only thing we can do for the insecure packages is change the default value of cert_reqs argument, and only _then_ load the default cert store automatically. But that is a bad idea because it is in direct contradiction with the official docs. I mean, yes, this default is a bad default, but that doesn't mean we're in any position to change this unilaterally.
Yes we are. It's free software after all. I'd be happy with getting rid of hardcoding the ca path everywhere as first step though :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.