wrong usage of certifi #760
Description
https://github.com/pypa/setuptools/blob/master/setuptools/ssl_support.py#L245
This line fetches the install directory of certifi and extracts file cacert.pem from it.
Although certifi labels itself as a trust root source, due to its commonness, it is a good vector for injecting OS-provided trust root for a huge number of Python packages at the same time. At SUSE, we patch the certifi.where() method to return the system trust root bundle and remove the installed trust root. That obviously cannot work when a package accesses the pem file directly.
It is also fragile: certifi could rename their pem bundle at any time, because it's not part of their API.
The line should be replaced with:
import certifi
return certifi.where()
I'll try to send a PR when I get to it.