Task Todo List Use system CA store
We have a long-standing issue of having multiple vendored CA stores across various packages. This makes customizing CA store not possible for a subset of packages, the additional copies are often out-of-date, and it's inconsistent in general.
Some packages were made solely for providing another copy for a language ecosystem, for example python-certifi and perl-mozilla-ca, and some are vendoring the formers.
This draft TODO is collecting packages following this pattern and providing a possible clean solution:
- Make the language-specific CA store packages providing "/etc/ssl/certs/ca-certificates.crt" and depends on ca-certificates, possibly via making a symlink for maximum compatibility.
- Try to devendor packages containing them with a system copy, thus our alternative packages could be used instead.
- For not applicable packages (for example, vendoring CA store themselves without calling a third party provider), try to symlink or patch manually and make it depends on ca-certificates.
The list may not be complete. Some packages are also added to the list for manually patching out calls to certifi.where(), etc, which should not be needed anymore after step 1 above was done.
Filter Todo List Packages
| Arch | Repository | Name | Current Version | Staging Version | Maintainers | Status | Last Touched By |
|---|---|---|---|---|---|---|---|
| any | Community | flyspray | 1.0rc10-2 | Complete | dvzrv | ||
| x86_64 | Community | gitlab | 15.8.3-1 | anatolik | Incomplete | ||
| x86_64 | Community | gnustep-base | 1.29.0-1 | Incomplete | dvzrv | ||
| any | Community | jython | 2.7.3-1 | felixonmars | Incomplete | ||
| x86_64 | Community | kodi | 20.1-2 | idevolder | Incomplete | ||
| x86_64 | Community | metasploit | 6.3.2-1 | anthraxx, kpcyrd | Incomplete | ||
| any | Community | mitmproxy | 9.0.1-1 | felixonmars, FFY00, kpcyrd | Complete | felixonmars | |
| x86_64 | Community | opensips | 3.3.3-1 | spupykin | Incomplete | ||
| any | Extra | perl-lwp-protocol-https | 6.10-4 | felixonmars | Complete | felixonmars | |
| any | Extra | perl-mozilla-ca | 20221114-1 | Complete | felixonmars | ||
| any | Community | phpmyadmin | 5.2.1-1 | spupykin | Incomplete | ||
| any | Community | python-aiogram | 2.22.2-1 | felixonmars | Complete | felixonmars | |
| any | Community | python-botocore | 1.29.89-1 | yan12125 | Complete | yan12125 | |
| any | Community | python-certifi | 2022.12.07-1 | felixonmars, dvzrv | Complete | felixonmars | |
| any | Community | python-dephell | Complete | yan12125 | |||
| any | Community | python-elasticsearch | 7.9.0-1 | Complete | felixonmars | ||
| x86_64 | Community | python-elasticsearch-curator | 5.7.6-9 | anthraxx | Incomplete | ||
| any | Community | python-google-auth | 2.16.1-1 | felixonmars | Incomplete | ||
| x86_64 | Community | python-kivy | 2.1.0-1 | FFY00 | Incomplete | ||
| any | Extra | python-pip | 23.0.1-1 | dvzrv | Complete | dvzrv | |
| any | Community | python-pipenv | 2023.3.20-1 | andrewSC, Foxboron | Complete | Foxboron | |
| any | Community | python-raven | Complete | yan12125 | |||
| any | Extra | python-requests | 2.28.2-1 | anthraxx | Incomplete | ||
| any | Extra | python-virtualenv | 20.17.1-1 | felixonmars | Incomplete | ||
| any | Community | ruby-httpclient | 2.8.3-9 | bastelfreak | Incomplete | ||
| x86_64 | Community | vagrant | 2.3.4-1 | jsteel | Incomplete |