[Bf-committers] Bundling Python `requests` module for 2.70

Trouble Daemon troubledaemon at gmail.com
Tue Feb 18 07:08:19 CET 2014 

Hey,

I did a local pip install of the requests file to take a look at the
cacert.pem file. It would appear that it is a copy of all the main
certificate authorities for use with SSL, so it would be rather large.

I was a little concerned to see other posts online (
https://mail.python.org/pipermail/python-dev/2013-October/129755.html) that
mentioned things like being slightly out of date, ignoring checks for
revoked certs, and what not, so they seem a little on the slow on the
update end of things.

I can't (won't) verify the actual authenticity of all of those certs to
prove that they aren't "fake" or anything, but probably minor since only
HTTPS requests using this lib would be able to be MITM'd if there were some
fakes in there (unless they found a way to install into your browser
storage via another script since users generally have full access to their
own browser settings, for example).

Personally I wish they would set this up to point at the system maintained
certs, but these paths vary too much on the OS's and would require root
access. If you ask me, it is a can of worms to install CA files on to a
users system as that is half of the attack (getting the file on someones
computer, the second being to install it in the proper place and MITM a
users connection). Wouldn't it be better to leave out and tell the user
that if they want SSL, they should configure the library to point at the
system wide certs instead?


Dan



On Mon, Feb 17, 2014 at 10:35 PM, Campbell Barton <ideasman42 at gmail.com>wrote:

> This is coming a bit late in the release cycle, but I've been asked to
> review an addon for Sketchfab, to see if we can include in 2.70.
>
> The addon its self is quite small and wont be enabled by default,
> however its using a python module called `requests`.
>
> Most likely this can be used by other scripts too since its a popular
> module.
>
> Bundling this isn't such a problem since this is pure python (just zip
> it up and include in lib/ for OSX, MS-Windows, Linux can copy from
> from Python's install dir).
>
> However this will take some work to update scons and cmake, and
> testing it works.
>
> Theres the issue of incresed size, did a quick test and it bzip2's
> down to 342kb,
> Though much of the space is used by `cacert.pem`,  without that file its
> 180kb
>
> I did a quick check and seems that file is optional since you can use
> cacerts provided by the system instead (but not totally sure at the
> point).
>
>
> So I'm proposing to include the Python module,
> I'll setup SCons and CMake for Linux and Windows and upload requests
> archive to lib/, but will need someone else to handle OSX or at least
> test it works ok.
>
>
> To be clear, Blender wont execute anything extra by default on
> startup, this just makes a Python module available for scripts to use
> if they need, and increases Blender's download size.
>
> ---
>
> Extra info.
>
> Addon URL if anyones interested:
> https://developer.blender.org/D321
>
> Requests website:
> http://requests.readthedocs.org
> --
> - Campbell
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
>

More information about the Bf-committers mailing list