[Bug 1879310] Re: python package does not depend on ca-certificates
Timo Aaltonen
tjaalton at ubuntu.com
Mon May 18 12:31:05 UTC 2020
** Also affects: python3.6 (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: python3.8 (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: python3.6 (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: python3.8 (Ubuntu Focal)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python3.6 in Ubuntu.
https://bugs.launchpad.net/bugs/1879310
Title:
python package does not depend on ca-certificates
Status in python3.6 package in Ubuntu:
New
Status in python3.8 package in Ubuntu:
New
Status in python3.6 source package in Bionic:
New
Status in python3.8 source package in Bionic:
New
Status in python3.6 source package in Focal:
New
Status in python3.8 source package in Focal:
New
Bug description:
(Affects all Python versions)
Python has no dependency on ca-certificates. Installing Python on a
minimal Debian or Ubuntu container image does not pull in ca-
certificates. This results in certificate validation issues as no
trust anchors are available. Python's ssl module and
ssl.create_default_context() depend on default root CA packages being
available.
Since Python 2.7.9 and 3.4.0 the ssl module encourages developers to
use ssl.create_default_context() to create a working and securely
configured SSL context object. The implementation assumes that the
platform has a correctly configured OpenSSL libssl that can load the
default trust anchors (root CA certificates) with
SSL_CTX_set_default_verify_paths().
Reproducer:
# docker run -ti ubuntu:bionic /bin/bash
# apt-get update
# apt-get install -y python3
# ls -la /etc/ssl/certs/ca-certificates.crt
ls: cannot access '/etc/ssl/certs/ca-certificates.crt': No such file or directory
# dpkg -l ca-certificates
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===============-============-============-=================================
un ca-certificates <none> <none> (no description available)
# python3 -c 'from urllib.request import urlopen; urlopen("https://www.python.org")'
Traceback (most recent call last):
...
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)>
# echo $?
1
# apt-get install -y ca-certificates
# python3 -c 'from urllib.request import urlopen; urlopen("https://www.python.org")'
root at seneca:/# echo $?
0
Proposed solution:
Either all Python interpreter packages or libssl should pull in ca-certificates.
I have reported the bug on Debian's bug tracker as well,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960869
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python3.6/+bug/1879310/+subscriptions
More information about the foundations-bugs
mailing list