Task Todo List Use system CA store
We have a long-standing issue of having multiple vendored CA stores across various packages. This makes customizing CA store not possible for a subset of packages, the additional copies are often out-of-date, and it's inconsistent in general.
Some packages were made solely for providing another copy for a language ecosystem, for example python-certifi and perl-mozilla-ca, and some are vendoring the formers.
This draft TODO is collecting packages following this pattern and providing a possible clean solution:
- Make the language-specific CA store packages providing "/etc/ssl/certs/ca-certificates.crt" and depends on ca-certificates, possibly via making a symlink for maximum compatibility.
- Try to devendor packages containing them with a system copy, thus our alternative packages could be used instead.
- For not applicable packages (for example, vendoring CA store themselves without calling a third party provider), try to symlink or patch manually and make it depends on ca-certificates.
The list may not be complete. Some packages are also added to the list for manually patching out calls to certifi.where(), etc, which should not be needed anymore after step 1 above was done.
Filter Todo List Packages
| Arch | Repository | Name | Current Version | Staging Version | Maintainers | Status | Last Touched By |
|---|---|---|---|---|---|---|---|
| any | Extra | flyspray | Complete | arojas | |||
| x86_64 | Extra | gitlab | 17.6.1-1 | alerque | Incomplete | ||
| x86_64 | Extra | gnustep-base | 1.30.0-1 | Incomplete | |||
| any | Extra | jython | 2.7.3-3 | 2.7.3-4 | felixonmars | Incomplete | |
| x86_64 | Extra | kodi | 21.1-3 | 21.1-4 | idevolder | Complete | idevolder |
| x86_64 | Extra | metasploit | 6.4.36-1 | anthraxx, kpcyrd | Incomplete | ||
| any | Extra | mitmproxy | 11.0.0-1 | 11.0.0-2 | felixonmars, kpcyrd | Incomplete | |
| x86_64 | Extra | opensips | 3.4.2-1 | spupykin | Complete | spupykin | |
| any | Extra | perl-lwp-protocol-https | 6.14-2 | felixonmars | Complete | felixonmars | |
| any | Extra | perl-mozilla-ca | 20240924-1 | Complete | felixonmars | ||
| any | Extra | phpmyadmin | 5.2.1-2 | spupykin | Complete | spupykin | |
| any | Extra | python-aiogram | 3.15.0-1 | 3.15.0-2 | felixonmars, carsme | Incomplete | |
| any | Extra | python-botocore | 1.35.36-1 | 1.35.36-2 | yan12125 | Complete | yan12125 |
| any | Extra | python-certifi | 2024.08.30-1 | 2024.08.30-3 | felixonmars, dvzrv | Complete | dvzrv |
| any | Extra | python-elasticsearch | 8.16.0-1 | carsme | Incomplete | carsme | |
| x86_64 | Extra | python-elasticsearch-curator | anthraxx | Complete | polyzen | ||
| any | Extra | python-google-auth | 2.36.1-1 | 2.36.1-2 | lfleischer | Incomplete | |
| x86_64 | Extra | python-kivy | 2.3.0-1 | 2.3.0-3 | FFY00 | Incomplete | |
| any | Extra | python-pip | 24.3.1-1 | 24.3.1-2 | dvzrv | Complete | dvzrv |
| any | Extra | python-pipenv | 2024.4.0-1 | 2024.4.0-2 | andrewSC, Foxboron | Complete | andrewSC |
| any | Extra | python-requests | 2.32.3-1 | 2.32.3-4 | anthraxx, polyzen | Complete | polyzen |
| any | Extra | python-virtualenv | 20.27.1-2 | 20.27.1-4 | grawlinson | Complete | grawlinson |
| any | Extra | ruby-httpclient | 2.8.3-11 | bastelfreak | Incomplete | ||
| x86_64 | Extra | vagrant | 2.4.2-1 | Segaja | Incomplete |