Move certifi to an optional dependency
See original GitHub issueDescribe the bug: …
https://github.com/elastic/apm-agent-python lists the license as BSD-3-Clause
. However https://pypi.org/project/liccheck/ reports that it pulls in certifi
which has an MPL license:
1 package.
certifi (2020.6.20): ['Mozilla Public License 2.0 (MPL 2.0)', 'MPL-2.0']
dependency:
certifi << elastic-apm
My understanding of the MPL is that it is a copy-left license, which means it should have to appear in the larger work’s license notification. If that’s the case, that’s also problematic for us since the agent has to be built into the source code, and we can’t have copy left licenses like GPL/LGPL in there.
To Reproduce
- create a requirements.txt file with nothing but
elastic-apm[flask]
in it - create an authorized-licenses.ini file that allows MIT and BSD licenses:
[Licenses]
authorized_licenses:
mit
bsd
unauthorized_licenses:
[Authorized Packages]
- create a simple Dockerfile:
FROM amazonlinux:2018.03
RUN yum update -y && \
yum install -y python27 python27-devel.x86_64 && \
yum install -y wget && \
wget https://bootstrap.pypa.io/get-pip.py && \
python27 get-pip.py && \
pip install liccheck && \
pip install elastic-apm[flask]
COPY ./ ./
RUN liccheck -s authorized-licenses.ini -r requirements.txt -l Paranoid
- Run Docker build:
docker build .
Result:
gathering licenses...
5 packages and dependencies.
check authorized packages...
4 packages.
check unknown packages...
1 package.
certifi (2020.6.20): ['Mozilla Public License 2.0 (MPL 2.0)', 'MPL-2.0']
dependency:
certifi << elastic-apm
The command '/bin/sh -c liccheck -s authorized-licenses.ini -r requirements.txt -l Paranoid' returned a non-zero code: 255
Environment (please complete the following information)
- OS: Linux
- Python version: 2.7
- Framework and version [e.g. Django 2.1]: Flask
- APM Server version:
- Agent version:
Additional context
-
requirements.txt
:Click to expand
elastic-apm[flask]
Issue Analytics
- State:
- Created 3 years ago
- Comments:12 (6 by maintainers)
Top Results From Across the Web
Problems using Maven and SSL behind proxy
The answer above is a good working solution, but here's how to do it if you want to use the SSL repo: Use...
Read more >About the move process in Azure Resource Mover
Resource Mover analyzes resource dependencies, and maintains and manages the state of resources during the move process.
Read more >Dependency Management With Python Poetry
A dependency manager like Python Poetry helps you specify, install, and resolve ... Create the project, and then move into the newly created...
Read more >Update security certificates with a different CA
Updating node security certificates ... Dependencies and versions ... (Optional) Use the SSL certificate API to verify that Elasticsearch loaded the new ...
Read more >Announcing Poetry 1.2.0 | Blog
Installing group dependencies #. By default, dependencies across all non-optional groups will be installed when executing poetry install . You ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@gatos-cc our plan changed a bit, since we’ve since noticed that especially in Docker images based on Debian, the default certificate bundle is often not available.
So, instead of removing certifi altogether, we’ll make the import conditional, and set
ca_certs
toNone
(here) if the import fails. Whilepip install elastic-apm
will still download certifi, you’ll be able to callpip uninstall certifi
right after, and then the agent will fall back to the OS-bundled certificate store.Yeah, if I could include it on
pip install elastic-apm
but remove it forpip install elastic-apm[flast-no-certifi]
I would do that in a heartbeat. If you can find anything in setuptools to that effect I’d be happy to implement it.Sorry for the inconvenience!