python icon indicating copy to clipboard operation
python copied to clipboard

Published 20 hours ago verified publisher icon docker-library

Cert in /tmp in :latest

Open jlosito opened this issue 4 years ago • 2 comments

I notice that there was a certificate dropped within the '/tmp' directory which was recently introduced in the latest Python image. I was curious the reasoning why the certificate should be there.

% docker run --entrypoint=/bin/sh -it python:3.7.10
# ls /tmp
tmpqucdzhdp

# head /tmp/tmpqucdzhdp

# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA
# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA
# Label: "GlobalSign Root CA"
# Serial: 4835703278459707669005204
# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a
# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c
# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG

jlosito avatar Apr 30 '21 00:04 jlosito

It comes from the pip install layer. We could delete it, but it seems like there is a bug in get-pip.py.

yosifkit avatar Apr 30 '21 18:04 yosifkit

There's some interesting discussion in https://github.com/pypa/pip/pull/9689 that's very closely related, including https://github.com/pypa/pip/pull/9689#issuecomment-791653233 which sounds almost exactly like what we're seeing in get-pip.py. :weary:

I guess we probably need to file an issue in https://github.com/pypa/get-pip (since it doesn't happen when we use ensurepip and/or pip and happens consistently every time we run get-pip.py even when it doesn't do anything interesting):

root@fc7265df7532:/# ls -l /tmp/
total 0
root@fc7265df7532:/# python get-pip.py --help &> /dev/null
root@fc7265df7532:/# ls -l /tmp/
total 260
-rw------- 1 root root 263774 Apr 30 18:43 tmpx26cz46mcacert.pem
root@fc7265df7532:/# python get-pip.py --help &> /dev/null
root@fc7265df7532:/# python get-pip.py --help &> /dev/null
root@fc7265df7532:/# ls -l /tmp/
total 780
-rw------- 1 root root 263774 Apr 30 18:44 tmp9g9ohe1ccacert.pem
-rw------- 1 root root 263774 Apr 30 18:43 tmpx26cz46mcacert.pem
-rw------- 1 root root 263774 Apr 30 18:44 tmpysopp3w_cacert.pem

tianon avatar Apr 30 '21 18:04 tianon

Looks like this one is fixed in the meantime! :sweat_smile:

https://explore.ggcr.dev/?image=python:slim -> https://explore.ggcr.dev/?image=python@sha256:c127a8c4aca8a5d3ac3a333cbab4c082c7ddbd0891441cc4e30d88dc351f1ce5&mt=application%2Fvnd.docker.distribution.manifest.v2%2Bjson&size=1370 -> https://explore.ggcr.dev/layers/python@sha256:c127a8c4aca8a5d3ac3a333cbab4c082c7ddbd0891441cc4e30d88dc351f1ce5/ -> https://explore.ggcr.dev/layers/python@sha256:c127a8c4aca8a5d3ac3a333cbab4c082c7ddbd0891441cc4e30d88dc351f1ce5/tmp/

tianon avatar Dec 20 '23 21:12 tianon