#truststore+certifi by default?
fossil sphinx
We've received 18,000 downloads since last July where I pushed people to try the new pip feature, I haven't received any bug reports. There was a good amount of engagement on the "react to show things worked" issue but not a ton. Hard to really tell the magnitude of people who have tried it out but from chatting with folks it's been exclusively positive feedback.
elder sparrow
I would say that requirement Python limited to 3.10+ is a big roadblock for people. why is it limited that way?
fossil sphinx
Unfortunately we don't get a choice there, we use private/undocumented APIs on SSLObject which were added in Python 3.10 for our secret sauce.
If you're interested I wrote about them here: https://sethmlarson.dev/blog/experimental-python-3.10-apis-and-trust-stores
elder sparrow
Unfortunately we don't get a choice there, we use private/undocumented APIs on `...
shame... I would say that library authors will start switching to it in about 2 years, when lowest maintained Python will be 3.9...
fossil sphinx
hehe, don;'t you mean 3 years, 3.9 runs out of security fixes in 2y10m
Using truststore w/ certifi loaded is in theory purely additive too, so it's not really a change. Just newer Python versions will get a better experience (more incentive to upgrade?)
elder sparrow
yeah, but once 3.8 is "dead" and 3.9 is the only one without ssl changes needed for truststore, it will make sense for people to migrate to if sys_version... hackery
fossil sphinx
The "upgrade your Python and use truststore" is already a part of the pip troubleshooting guide already, it's just not automatically used when it is available, it's enabled through --use-feature=truststore. Changing to be default in 3.10+ would make that experience automatic.
elder sparrow
I am reading into the docs now, could you confirm, that everywhere, where ssl.SSLContext is used, truststore.SSLContext is basically a drop-in replacement? I might try implementing this for Poetry as an experimental option for 3.10+ users...
fossil sphinx
Yeah that's pretty much the gist.
elder sparrow
nice. I seem to have found a Christmas project for myself 😛
fossil sphinx
hehehe, tag me on the issue so I can follow along?
elder sparrow
sure
oblique sky
I’m up for switching the default
slender remnant
Same -- I do wonder if there's any plans for requests to do a migration.
elder sparrow
https://github.com/psf/requests/issues/2966 the only issue that poped up when searched for truststore
cloud reef
I'm planning this for Hatch too. Seems there's no HTTPX example so I'll open a PR with however I do it
elder sparrow
I'm planning this for Hatch too. Seems there's no HTTPX example so I'll open a P...
it's really easy wit httpx, I have seen it suggested by Tom in one of the discussions recently
here
cloud reef
that'd be nice if there was a built-in option
elder sparrow
you mean built-in into httpx?
fossil sphinx
Thanks @oblique sky and @slender remnant for the ++, am I cool to create a patch then that changes it to be used by default? Happy to create a discussion issue if needed first.
oblique sky
Yeah go ahead. I think we’ll need some mechanism for the user to switch back if necessary, but that can be discussed in the PR
slender remnant
Yea, use the feature flags mechanism for that.