have to do certifi in tox.ini

by the time setup.py is being processed it is too late for certifi to help
2025-02-22 18:22:40 +00:00 · 2023-04-28 07:51:45 -04:00 · 2023-04-28 07:51:45 -04:00 · 70caa22370
commit 70caa22370
parent f6e4e862a9
2 changed files with 15 additions and 17 deletions
--- a/setup.py
+++ b/setup.py
@ -419,16 +419,6 @@ setup(name="tahoe-lafs", # also set in __init__.py
              "python-subunit==1.4.2",
              "junitxml==0.7",
              "coverage ~= 5.0",
-
-              # As an exception, we don't pin certifi because it contains CA
-              # certificates which necessarily change over time.  Pinning this
-              # is guaranteed to cause things to break eventually as old
-              # certificates expire and as new ones are used in the wild that
-              # aren't present in whatever version we pin.  Hopefully there
-              # won't be functionality regressions in new releases of this
-              # package that cause us the kind of suffering we're trying to
-              # avoid with the above pins.
-              "certifi",
          ],

          "test": [
--- a/tox.ini
+++ b/tox.ini
@ -23,14 +23,22 @@ minversion = 2.4

 [testenv]
 passenv = TAHOE_LAFS_* PIP_* SUBUNITREPORTER_* USERPROFILE HOMEDRIVE HOMEPATH
-# Get "certifi" to avoid bug #2913. Basically if a `setup_requires=...` causes
-# a package to be installed (with setuptools) then it'll fail on certain
-# platforms (travis's OX-X 10.12, Slackware 14.2) because PyPI's TLS
-# requirements (TLS >= 1.2) are incompatible with the old TLS clients
-# available to those systems.  Installing it ahead of time (with pip) avoids
-# this problem.
 deps =
-     .[testenv]
+    # We pull in certify *here* to avoid bug #2913. Basically if a
+    # `setup_requires=...` causes a package to be installed (with setuptools)
+    # then it'll fail on certain platforms (travis's OX-X 10.12, Slackware
+    # 14.2) because PyPI's TLS requirements (TLS >= 1.2) are incompatible with
+    # the old TLS clients available to those systems.  Installing it ahead of
+    # time (with pip) avoids this problem.
+    #
+    # We don't pin an exact version of it because it contains CA certificates
+    # which necessarily change over time.  Pinning this is guaranteed to cause
+    # things to break eventually as old certificates expire and as new ones
+    # are used in the wild that aren't present in whatever version we pin.
+    # Hopefully there won't be functionality regressions in new releases of
+    # this package that cause us the kind of suffering we're trying to avoid
+    # with the above pins.
+    certifi

 # We add usedevelop=False because testing against a true installation gives
 # more useful results.