Fix 82 2 #84
Fix 82 2 #84
Conversation
do not set certificates in build.sh because it has no effect on the installation
domste
requested review from
djsutherland,
jakirkham,
msarahan,
ocefpaf,
pelson and
scopatz
as code owners
|
Hi! This is the friendly automated conda-forge-linting service. I just wanted to let you know that I linted all conda-recipes in your PR ( I do have some suggestions for making it better though... For recipe:
Documentation on acceptable licenses can be found here. |
|
|
||
| git config --system http.sslVerify true | ||
| git config --system http.sslCAPath "${cert_file}" | ||
| git config --system http.sslCAInfo "${cert_file}" |
There was a problem hiding this comment.
This doesn't seem like the correct thing to do on the user's machine. Is there some global / system setting we can configure?
There was a problem hiding this comment.
Seems like you should rather patch git so that this becomes the http.sslCAInfo default if it isn't configured. I agree this is a bad thing to do. The git configuration is user-global, but git could be installed into multiple environments. The result is that the ~/.gitconfig would point to the cert files from whatever conda environment had git installed in it most recently. If that environment then gets deleted, or even if it isn't updated, the git from every other environment would still point to that location.
There was a problem hiding this comment.
I tried it with using different environments and the gitconfig seems to be env specific.
You can check this by running following command in an environment with git installed
(git-test) root@ubuntu:/usr/local/conda-bld/linux-64# git config --list --show-origin
file:/usr/local/envs/git-test/etc/gitconfig http.sslverify=true
file:/usr/local/envs/git-test/etc/gitconfig http.sslcapath=/usr/local/envs/git-test/ssl/cacert.pem
file:/usr/local/envs/git-test/etc/gitconfig http.sslcainfo=/usr/local/envs/git-test/ssl/cacert.pem
When I set the $REQUESTS_CA_BUNDLE var and install it in another environment an env-specific gitconfig is created, see below:
(git-test-custom-ca) root@ubuntu:/usr/local/conda-bld/linux-64# export REQUESTS_CA_BUNDLE=/root/my-custom-ca.pem
(git-test-custom-ca) root@ubuntu:/usr/local/conda-bld/linux-64# conda install git --use-local
(git-test-custom-ca) root@ubuntu:/usr/local/conda-bld/linux-64# git config --list --show-origin
file:/usr/local/envs/git-test-custom-ca/etc/gitconfig http.sslverify=true
file:/usr/local/envs/git-test-custom-ca/etc/gitconfig http.sslcapath=/root/my-custom-ca.pem
file:/usr/local/envs/git-test-custom-ca/etc/gitconfig http.sslcainfo=/root/my-custom-ca.pem
So the global user space should not be affected by this changes. Could you please verify to be on the save side?
One downside is that the variable $REQUESTS_CA_BUNDLE has to be defined before installation for changes to take effect.
There was a problem hiding this comment.
It really doesn't seem right to do this in post-link.sh
Checklist
conda-smithy(Use the phrase@conda-forge-admin, please rerenderin a comment in this PR for automated rerendering)Set the certificate path (#82 ) via post-link.sh script and removed the certificate logic in the build script, because it does not have any effect in the installation process (#83 ).