Task Todo List Use system CA store
We have a long-standing issue of having multiple vendored CA stores across various packages. This makes customizing CA store not possible for a subset of packages, the additional copies are often out-of-date, and it's inconsistent in general.
Some packages were made solely for providing another copy for a language ecosystem, for example python-certifi and perl-mozilla-ca, and some are vendoring the formers.
This draft TODO is collecting packages following this pattern and providing a possible clean solution:
- Make the language-specific CA store packages providing "/etc/ssl/certs/ca-certificates.crt" and depends on ca-certificates, possibly via making a symlink for maximum compatibility.
- Try to devendor packages containing them with a system copy, thus our alternative packages could be used instead.
- For not applicable packages (for example, vendoring CA store themselves without calling a third party provider), try to symlink or patch manually and make it depends on ca-certificates.
The list may not be complete. Some packages are also added to the list for manually patching out calls to certifi.where(), etc, which should not be needed anymore after step 1 above was done.
Filter Todo List Packages
| Arch | Repository | Name | Current Version | Staging Version | Maintainers | Status | Last Touched By |
|---|---|---|---|---|---|---|---|
| any | Extra | flyspray | Complete | arojas | |||
| x86_64 | Extra | gitlab | 16.11.0-1 | alerque | Incomplete | ||
| x86_64 | Extra | gnustep-base | 1.29.0-3 | Incomplete | |||
| any | Extra | jython | 2.7.3-2 | 2.7.3-3 | felixonmars | Incomplete | |
| x86_64 | Extra | kodi | 21.0-1 | 21.0-3 | idevolder | Complete | idevolder |
| x86_64 | Extra | metasploit | 6.4.2-1 | anthraxx, kpcyrd | Incomplete | ||
| any | Extra | mitmproxy | 10.2.4-1 | 10.2.4-2 | felixonmars, FFY00, kpcyrd | Incomplete | |
| x86_64 | Extra | opensips | 3.4.2-1 | spupykin | Incomplete | ||
| any | Extra | perl-lwp-protocol-https | 6.11-1 | felixonmars | Complete | felixonmars | |
| any | Extra | perl-mozilla-ca | 20231213-1 | Complete | felixonmars | ||
| any | Extra | phpmyadmin | 5.2.1-1 | spupykin | Incomplete | ||
| any | Extra | python-aiogram | 2.22.2-3 | 2.22.2-4 | felixonmars | Incomplete | |
| any | Extra | python-botocore | 1.34.34-1 | 1.34.34-2 | yan12125 | Complete | yan12125 |
| any | Extra | python-certifi | 2024.02.02-1 | 2024.02.02-2 | felixonmars, dvzrv | Complete | dvzrv |
| any | Extra | python-elasticsearch | 7.9.0-5 | 7.9.0-6 | Incomplete | ||
| x86_64 | Extra | python-elasticsearch-curator | anthraxx | Complete | polyzen | ||
| any | Extra | python-google-auth | 2.29.0-1 | 2.29.0-2 | lfleischer | Incomplete | |
| x86_64 | Extra | python-kivy | 2.2.1-1 | 2.2.1-2 | FFY00 | Incomplete | |
| any | Extra | python-pip | 24.0-1 | 24.0-2 | dvzrv | Complete | dvzrv |
| any | Extra | python-pipenv | 2023.12.1-1 | 2023.12.1-2 | andrewSC, Foxboron | Complete | andrewSC |
| any | Extra | python-requests | 2.31.0-1 | 2.31.0-3 | anthraxx, polyzen | Complete | polyzen |
| any | Extra | python-virtualenv | 20.25.0-1 | 20.25.0-2 | grawlinson | Complete | grawlinson |
| any | Extra | ruby-httpclient | 2.8.3-9 | bastelfreak | Incomplete | ||
| x86_64 | Extra | vagrant | 2.4.1-1 | jsteel | Incomplete |