raven-go icon indicating copy to clipboard operation
raven-go copied to clipboard

Published 20 hours ago verified publisher icon getsentry

Make certifi optional/remove as dependency

Open medzin opened this issue 9 years ago • 4 comments

raven-go dependency on gocertifi is really problematic in corporate networks (audits, sec teams etc.), because it introduces not company managed root CAs. Can this dependency be removed or made optional?

medzin avatar Dec 06 '16 09:12 medzin

Would it help if it were vendored instead?

mattrobenolt avatar Dec 06 '16 10:12 mattrobenolt

The problem is that raven-go uses by default it's own root CAs provided by gocertifi, not root CAs installed in operating system and controlled by sec teams.

medzin avatar Dec 06 '16 10:12 medzin

I see. I can probably easily make this a configuration option to override or supply your own bundle. fwiw we do this as well in raven-python. And for context, this was added for the exact opposite case, where there were no system roots.

mattrobenolt avatar Dec 06 '16 11:12 mattrobenolt

I think this is highly problematic as @medzin already explained. As a work-around it seems as if I can attach my own Transport though.

mattes avatar Aug 14 '18 18:08 mattes