Refactor: replace requests with urllib3
#1040
Comments
woodruffw
added
enhancement
|
linking to theupdateframework/python-tuf#2762 FYI (a related PR for python-tuf). One thing to note that already came up:
|
Yep, this is a "plus" IMO: the fact that PyPI is a CA bundle delivery mechanism (for |
This simplifies our dependency tree a bit, since requests is built on urllib3 internally. It also chips away at a larger plan to replace requests with urllib3 in sigstore-python, per sigstore/sigstore-python#1040. Signed-off-by: William Woodruff <[email protected]>
|
Yeah I definitely agree with your concerns -- what I'm not sure is how to combine the two views:
Basically, can we just switch to using system certificates for https without collateral damage? is there a way for downstream (applications/distributors/users) to change that or is that unnecessary (I remember requests had a REQUESTS_CA_BUNDLE hack)? I see Seth has a potential solution https://github.com/sethmlarson/truststore -- I suppose this means we could just use system certs and point people to truststore (and potentially use truststore in the sigstore-python CLI ourselves) |
Windows may have been a concern, but (IIRC) the original motivation for In practice, I think this problems have been mostly ameliorated: the Web PKI is in much better shape than it was a decade+ ago, and root program/OS providers tend to be much more stringent about security updates. With |
|
I think that sounds very reasonable. @sethmlarson if you have the time, would you mind commenting on this one?
|
urllib3has everything we need fromrequests(and is the library beneath it), including connection pooling. It's much more actively maintained and has a more consistent API, so we should switch to it.The text was updated successfully, but these errors were encountered: