Task Todo List Use system CA store
We have a long-standing issue of having multiple vendored CA stores across various packages. This makes customizing CA store not possible for a subset of packages, the additional copies are often out-of-date, and it's inconsistent in general.
Some packages were made solely for providing another copy for a language ecosystem, for example python-certifi and perl-mozilla-ca, and some are vendoring the formers.
This draft TODO is collecting packages following this pattern and providing a possible clean solution:
- Make the language-specific CA store packages providing "/etc/ssl/certs/ca-certificates.crt" and depends on ca-certificates, possibly via making a symlink for maximum compatibility.
- Try to devendor packages containing them with a system copy, thus our alternative packages could be used instead.
- For not applicable packages (for example, vendoring CA store themselves without calling a third party provider), try to symlink or patch manually and make it depends on ca-certificates.
The list may not be complete. Some packages are also added to the list for manually patching out calls to certifi.where(), etc, which should not be needed anymore after step 1 above was done.
Filter Todo List Packages
| Arch | Repository | Name | Current Version | Staging Version | Maintainers | Status | Last Touched By |
|---|---|---|---|---|---|---|---|
| any | Extra | flyspray | 1.0rc10-2 | Incomplete | |||
| x86_64 | Extra | gitlab | 16.1.4-1 | anatolik, alerque | Incomplete | ||
| x86_64 | Extra | gnustep-base | 1.29.0-2 | Incomplete | |||
| any | Extra | jython | 2.7.3-2 | felixonmars | Incomplete | ||
| x86_64 | Extra | kodi | 20.2-3 | idevolder | Complete | idevolder | |
| x86_64 | Extra | metasploit | 6.3.27-1 | anthraxx, kpcyrd | Incomplete | ||
| any | Extra | mitmproxy | 10.1.1-1 | felixonmars, FFY00, kpcyrd | Incomplete | ||
| x86_64 | Extra | opensips | 3.3.5-1 | spupykin | Incomplete | ||
| any | Extra | perl-lwp-protocol-https | 6.10-5 | felixonmars | Complete | felixonmars | |
| any | Extra | perl-mozilla-ca | 20230821-1 | Complete | felixonmars | ||
| any | Extra | phpmyadmin | 5.2.1-1 | spupykin | Incomplete | ||
| any | Extra | python-aiogram | 2.22.2-2 | felixonmars | Incomplete | ||
| any | Extra | python-botocore | 1.31.25-1 | yan12125 | Complete | yan12125 | |
| any | Extra | python-certifi | 2023.07.22-1 | felixonmars, dvzrv | Complete | dvzrv | |
| any | Extra | python-elasticsearch | 7.9.0-3 | Incomplete | |||
| x86_64 | Extra | python-elasticsearch-curator | 5.7.6-10 | anthraxx | Incomplete | ||
| any | Extra | python-google-auth | 2.19.0-1 | felixonmars | Incomplete | ||
| x86_64 | Extra | python-kivy | 2.2.1-1 | FFY00 | Incomplete | ||
| any | Extra | python-pip | 23.2.1-1 | dvzrv | Complete | dvzrv | |
| any | Extra | python-pipenv | 2023.9.8-1 | andrewSC, Foxboron | Complete | andrewSC | |
| any | Extra | python-requests | 2.28.2-4 | anthraxx | Incomplete | ||
| any | Extra | python-virtualenv | 20.24.5-1 | grawlinson | Complete | grawlinson | |
| any | Extra | ruby-httpclient | 2.8.3-9 | bastelfreak | Incomplete | ||
| x86_64 | Extra | vagrant | 2.3.7-1 | jsteel | Incomplete |