python2Packages.certifi: init at 2019.11.28

[dotlambda]

Motivation for this change

fixes #127423

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• 21.11 Release Notes
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

cc @tollb @NixOS/nixops-committers

[dotlambda]

To be honest, I don't like providing an outdated version of certifi for Python 2 because we shouldn't ship outdated security-related stuff. Maybe it's better not to fix this and mark NixOps 1.7 as broken.
Also, I will unsubscribe from this pull request. Any necessary modifications can be force-pushed to my branch by @NixOS/nixops-committers who should also merge this pull request if they think it's the best solution or create a new one otherwise.
This has been the very last time I put any work into fixing some Python 2 package required by NixOps!

[r-rmcgibbo]

Result of nixpkgs-review pr 127453 at 304839a9 run on x86_64-linux 1

11 packages marked as broken and skipped:

• gnuradio3_7
• gnuradio3_7Packages.ais
• gnuradio3_7Packages.gnuradio
• gnuradio3_7Packages.gsm
• gnuradio3_7Packages.limesdr
• gnuradio3_7Packages.nacl
• gnuradio3_7Packages.osmosdr
• gnuradio3_7Packages.rds
• natron
• ocropus
• rainbowstream

3 packages failed to build:

• graalvm8
• jvmci8
• opae

12 packages built successfully:

• bitbucket-cli
• buttersink
• cloudmonkey
• datadog-agent
• euca2ools
• fmbt
• git-fast-export
• mercurial_4
• mx
• nixops
• tsung
• zabbix-cli

Note that build failures may predate this PR, and could be nondeterministic or hardware dependent.
Please exercise your independent judgement. Does something look off? Please file an issue or reach out on IRC.

[mweinelt]

This poses a certain security risk, so I decided to set knownVulnerabilities.

[Ekleog]

Can anyone describe an actual threat model based on “shipping an outdated certificate store”? I can't think of any that would actually be a problem for normal users, and non-normal users already have much worse to worry about.

IMO adding knownVulnerabilities when there are no actually known vulnerabilities only makes people more used to working around it, especially for a package as advertised as nixops, and so is a net negative for the security of NixOS users.

Now, if there were some specific known vulnerability (eg. “this CA that was there in 2019 was removed after having issued malicious certificates that can still be used”), I would totally understand this item; but IMO as currently described this is lacking motivation and it'd be better to have no knownVulnerabilities than this one.

[zeri42]

easy. Some CA get's their private key stolen and now the thief can issue new certificates. Alternatively (way more common) the CA is seen to be not trustworthy due to weird behavior or bogus certificates issued by it. CAs that are not trustworthy or compromised might issue certificates that can be used to stage successful man-in-the-middle attacks. This impacts all tls secured communication that uses a certificate store that includes this CA (passwords/downloads/...). Unless you have support for OCSP, revocation is done via two ways:

1. certificate revocation lists (that are sparely used). In this case the issuing CA revokes the compromised CA and publishes a file that includes this information.
2. removing the CA from certificate stores like this one. The only way to handle compromised self-signed CA.
   Hence keeping the certificate store up to date is important.

For reference: https://sslmate.com/certspotter/failures

[aszlig]

Hm, what about re-using the bundle from the cacert package instead? This would not only solve this issue but also would consolidate the CA bundle to a single location. For example when writing integration tests involving Python software, one usually needs to not only override cacert but also python*Packages.certifi to inject testing certificates.

[tollb]

The approach suggested by @aszlig may also be applicable to the boto 2.49.0 package, as I believe it has an embedded cacert file that is even further out-of-date: https://raw.githubusercontent.com/boto/boto/2.49.0/boto/cacerts/cacerts.txt. I'm not certain when this embedded cacerts.txt is used by boto versus the one provided by python2Packages.certifi.

If someone can confirm that boto's embedded cacerts.txt is actually used (especially through nixops 1.7), we might want to add a knownVulnerabilities to the boto package as well -- for consistency with python2Packages.certifi. Or, provide updated certificates in both packages. I took a quick look at arch and debian to see if they had updated the certs in their boto 2.49.0 packages, and it doesn't seem that they have. So, maybe I am mistaken.

[Ekleog]

@zeri42 Thank you, your link confirms that as of today there is no known instance of a CA having an issue that would warrant the knownVulnerabilities toggle since the version of certifi that is being considered here, and so that reverting updates should not be a security vulnerability :) (though it is only one source, of course)

(And also, even if they were in most cases I'd keep my position: an attacker stealing the private key from a CA is not a reasonable threat model for a normal NixOS user, which is the reason why I wrote my first message)

This being said I'm going to step out of this discussion: I'm only focussed on “knownVulnerabilities here would be bad”; there are for sure much better things that could be done by improving stuff in various ways :)

[nlewo]

@dotlambda Note this would also fixes the python2Packages.requests library which depends on certifi.

[dpausp]

We could also use a recent version of certifi and disable the test for the contents() function. The function is broken but it didn't even exist on 2019.11.28. This wouldn't break existing Python 2.7 code where the new function has never worked. Ugly, but having newer certificates is better, I think.

[tomfitzhenry]

This will also fix buttersink failing to build: #128151.

[prusnak]

This will also fix gnuradio 3.7 shipped with nixos-21.05: #128620

[adisbladis]

@dotlambda I took the liberty of reworking this PR a bit.
We now use 2019.11.28 for building the package but inherit the cert bundle from the maintained python3-only version.

I think this is a decent solution with minimal maintenance.

[prusnak]

@adisbladis I wonder whether the package version of this hybrid should be 2019.11.28 (source code version as reported by __init__.py) or 2021.05.30 (the version of cacert.pem)

[dotlambda]

The version should be 2019.11.28 because the API has since been changed.

[adisbladis]

Alright, version set as 2019.11.28.

[clefru]

clefru@57e65ad has a commit that patches Python 2 support back into a recent certifi. Works for me so far (with nixops)

[adisbladis]

@clefru I thought about adopting a similar approach but opted against it because of the added maintenance burden.

I think for now I'll just merge this and if you think your approach is sufficiently better could you please create a separate PR?

[github-actions]

Successfully created backport PR #129374 for release-21.05.