[Bf-committers] Bundling Python `requests` module for 2.70

Tue Feb 18 10:43:07 CET 2014

It's not so much clear how to grab sources actually.

Home page mentions release 2.3.0, but there's no release archive on the
site and i don't really see tag in their repo.We could use latest master,
but that i feel a bit paranoid to do because wouldn't b able to test.

Any thoughts here?

On Tue, Feb 18, 2014 at 12:08 PM, Trouble Daemon <troubledaemon at gmail.com>wrote:

> Hey,
>
> I did a local pip install of the requests file to take a look at the
> cacert.pem file. It would appear that it is a copy of all the main
> certificate authorities for use with SSL, so it would be rather large.
>
> I was a little concerned to see other posts online (
> https://mail.python.org/pipermail/python-dev/2013-October/129755.html)
> that
> mentioned things like being slightly out of date, ignoring checks for
> revoked certs, and what not, so they seem a little on the slow on the
> update end of things.
>
> I can't (won't) verify the actual authenticity of all of those certs to
> prove that they aren't "fake" or anything, but probably minor since only
> HTTPS requests using this lib would be able to be MITM'd if there were some
> fakes in there (unless they found a way to install into your browser
> storage via another script since users generally have full access to their
> own browser settings, for example).
>
> Personally I wish they would set this up to point at the system maintained
> certs, but these paths vary too much on the OS's and would require root
> access. If you ask me, it is a can of worms to install CA files on to a
> users system as that is half of the attack (getting the file on someones
> computer, the second being to install it in the proper place and MITM a
> users connection). Wouldn't it be better to leave out and tell the user
> that if they want SSL, they should configure the library to point at the
> system wide certs instead?
>
>
> Dan
>
>
>
> On Mon, Feb 17, 2014 at 10:35 PM, Campbell Barton <ideasman42 at gmail.com
> >wrote:
>
> > This is coming a bit late in the release cycle, but I've been asked to
> > review an addon for Sketchfab, to see if we can include in 2.70.
> >
> > The addon its self is quite small and wont be enabled by default,
> > however its using a python module called `requests`.
> >
> > Most likely this can be used by other scripts too since its a popular
> > module.
> >
> > Bundling this isn't such a problem since this is pure python (just zip
> > it up and include in lib/ for OSX, MS-Windows, Linux can copy from
> > from Python's install dir).
> >
> > However this will take some work to update scons and cmake, and
> > testing it works.
> >
> > Theres the issue of incresed size, did a quick test and it bzip2's
> > down to 342kb,
> > Though much of the space is used by `cacert.pem`,  without that file its
> > 180kb
> >
> > I did a quick check and seems that file is optional since you can use
> > cacerts provided by the system instead (but not totally sure at the
> > point).
> >
> >
> > So I'm proposing to include the Python module,
> > I'll setup SCons and CMake for Linux and Windows and upload requests
> > archive to lib/, but will need someone else to handle OSX or at least
> > test it works ok.
> >
> >
> > To be clear, Blender wont execute anything extra by default on
> > startup, this just makes a Python module available for scripts to use
> > if they need, and increases Blender's download size.
> >
> > ---
> >
> > Extra info.
> >
> > Addon URL if anyones interested:
> > https://developer.blender.org/D321
> >
> > Requests website:
> > http://requests.readthedocs.org
> > --
> > - Campbell
> > _______________________________________________
> > Bf-committers mailing list
> > Bf-committers at blender.org
> > http://lists.blender.org/mailman/listinfo/bf-committers
> >
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
>

-- 
With best regards, Sergey Sharybin