Bump relenv to 0.22.14 (3006.x) by dwoz · Pull Request #69413 · saltstack/salt

dwoz · 2026-06-11T03:27:47Z

Summary

Bumps relenv 0.22.11 → 0.22.14 on 3006.x.
0.22.12: sqlite 3.53.2.0
0.22.13: openssl 3.5.7
0.22.14: python 3.13.14 / 3.14.6 (not used by 3006.x — kept for completeness)

Test plan

CI green on this PR
Onedir builds succeed with relenv 0.22.14

OpenSSL 3.5.x (shipped by relenv 0.22.13+) rejects ASN.1-malformed certs in the Windows root store. CPython's _load_windows_store_certs feeds the whole store to load_verify_locations(cadata=...) as one blob, so a single bad cert aborts the load and any import of salt.ext.tornado.netutil raises SSLError, which in turn breaks 'import salt.config' on Windows. Pin the module-level default contexts to certifi on Windows to bypass the OS store until relenv ships a cpython with the upstream fix.

Workaround 3a (in salt.ext.tornado.netutil) only fixed the import-time SSLContext, but third-party libs in the onedir (aiohttp.connector, etc.) call ssl.create_default_context() themselves and trip the same ASN1 NOT_ENOUGH_DATA load_verify_locations(cadata=blob) failure under OpenSSL 3.5.x. Replace ssl.SSLContext._load_windows_store_certs at salt import time with the iter-and-skip variant proposed upstream. Effective for every caller in the salt process - first- and third-party - as long as 'import salt' runs first, which it does for every salt entry point. Remove once relenv ships a cpython with the upstream fix.

The previous monkey-patch closed over _ssl, then del'd it at the end of the if block. Closures resolve at call time, so the first call to _salt_safe_load_windows_store_certs raised NameError instead of silently skipping a malformed cert. Capture ssl.SSLError as a default argument so the function stays self-contained after _ssl is deleted.

Bump relenv to 0.22.14

fc5d058

dwoz requested a review from a team as a code owner June 11, 2026 03:27

dwoz had a problem deploying to ci June 11, 2026 03:27 — with GitHub Actions Error

dwoz added the test:full Run the full test suite label Jun 11, 2026

dwoz temporarily deployed to ci June 11, 2026 03:27 — with GitHub Actions Inactive

dwoz added this to the Sulphur v3006.26 milestone Jun 11, 2026

dwoz temporarily deployed to ci June 11, 2026 03:40 — with GitHub Actions Inactive

dwoz temporarily deployed to ci June 11, 2026 04:06 — with GitHub Actions Inactive

dwoz temporarily deployed to ci June 11, 2026 05:43 — with GitHub Actions Inactive

dwoz temporarily deployed to ci June 11, 2026 05:56 — with GitHub Actions Inactive

dwoz temporarily deployed to ci June 11, 2026 06:19 — with GitHub Actions Inactive

dwoz temporarily deployed to ci June 11, 2026 06:53 — with GitHub Actions Inactive

dwoz temporarily deployed to ci June 11, 2026 07:05 — with GitHub Actions Inactive

dwoz temporarily deployed to ci June 11, 2026 07:31 — with GitHub Actions Inactive

dwoz temporarily deployed to ci June 11, 2026 21:45 — with GitHub Actions Inactive

dwoz temporarily deployed to ci June 11, 2026 21:58 — with GitHub Actions Inactive

dwoz temporarily deployed to ci June 11, 2026 22:12 — with GitHub Actions Inactive

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump relenv to 0.22.14 (3006.x)#69413

Bump relenv to 0.22.14 (3006.x)#69413
dwoz wants to merge 4 commits into
saltstack:3006.xfrom
dwoz:relenv-3006

dwoz commented Jun 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dwoz commented Jun 11, 2026

Summary

Test plan

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant