Task Todo List Use system CA store
We have a long-standing issue of having multiple vendored CA stores across various packages. This makes customizing CA store not possible for a subset of packages, the additional copies are often out-of-date, and it's inconsistent in general.
Some packages were made solely for providing another copy for a language ecosystem, for example python-certifi and perl-mozilla-ca, and some are vendoring the formers.
This draft TODO is collecting packages following this pattern and providing a possible clean solution:
- Make the language-specific CA store packages providing "/etc/ssl/certs/ca-certificates.crt" and depends on ca-certificates, possibly via making a symlink for maximum compatibility.
- Try to devendor packages containing them with a system copy, thus our alternative packages could be used instead.
- For not applicable packages (for example, vendoring CA store themselves without calling a third party provider), try to symlink or patch manually and make it depends on ca-certificates.
The list may not be complete. Some packages are also added to the list for manually patching out calls to certifi.where(), etc, which should not be needed anymore after step 1 above was done.
Filter Todo List Packages
| Arch | Repository | Name | Current Version | Staging Version | Maintainers | Status | Last Touched By |
|---|---|---|---|---|---|---|---|
| any | Extra | flyspray | Complete | arojas | |||
| x86_64 | Extra | gitlab | 17.11.2-1 | alerque | Incomplete | ||
| x86_64 | Extra | gnustep-base | 1.30.0-3 | Incomplete | |||
| any | Extra | jython | 2.7.4-2 | felixonmars | Incomplete | ||
| x86_64 | Extra | kodi | 21.2-10 | idevolder | Complete | idevolder | |
| x86_64 | Extra | metasploit | 6.4.62-1 | anthraxx, kpcyrd | Incomplete | ||
| any | Extra | mitmproxy | 12.0.1-1 | felixonmars, kpcyrd, grawlinson | Incomplete | ||
| x86_64 | Extra | opensips | 3.5.4-2 | spupykin | Complete | spupykin | |
| any | Extra | perl-lwp-protocol-https | 6.14-2 | felixonmars | Complete | felixonmars | |
| any | Extra | perl-mozilla-ca | 20250202-1 | grawlinson | Complete | felixonmars | |
| any | Extra | phpmyadmin | 5.2.2-1 | spupykin | Complete | spupykin | |
| any | Extra | python-aiogram | 3.20.0-1 | felixonmars, carsme | Complete | carsme | |
| any | Extra | python-botocore | 1.38.13-1 | carsme | Complete | yan12125 | |
| any | Extra | python-certifi | 2025.04.26-1 | felixonmars, dvzrv, carsme | Complete | dvzrv | |
| any | Extra | python-elasticsearch | 9.0.1-1 | carsme | Incomplete | carsme | |
| x86_64 | Extra | python-elasticsearch-curator | anthraxx | Complete | polyzen | ||
| any | Extra | python-google-auth | 2.38.0-1 | lfleischer | Incomplete | ||
| x86_64 | Extra | python-kivy | 2.3.0-3 | FFY00 | Incomplete | ||
| any | Extra | python-pip | 25.1.1-1 | dvzrv, gromit | Complete | dvzrv | |
| any | Extra | python-pipenv | 2025.0.2-1 | andrewSC, Foxboron | Complete | andrewSC | |
| any | Extra | python-requests | 2.32.3-4 | anthraxx, polyzen, grawlinson | Complete | polyzen | |
| any | Extra | python-virtualenv | 20.28.0-1 | grawlinson | Complete | grawlinson | |
| any | Extra | ruby-httpclient | 2.8.3-13 | bastelfreak | Incomplete | ||
| x86_64 | Extra | vagrant | Complete | Foxboron |