Task Todo List Use system CA store

June 27, 2022 - Felix Yan

We have a long-standing issue of having multiple vendored CA stores across various packages. This makes customizing CA store not possible for a subset of packages, the additional copies are often out-of-date, and it's inconsistent in general.

Some packages were made solely for providing another copy for a language ecosystem, for example python-certifi and perl-mozilla-ca, and some are vendoring the formers.

This draft TODO is collecting packages following this pattern and providing a possible clean solution:

- Make the language-specific CA store packages providing "/etc/ssl/certs/ca-certificates.crt" and depends on ca-certificates, possibly via making a symlink for maximum compatibility.
- Try to devendor packages containing them with a system copy, thus our alternative packages could be used instead.
- For not applicable packages (for example, vendoring CA store themselves without calling a third party provider), try to symlink or patch manually and make it depends on ca-certificates.

The list may not be complete. Some packages are also added to the list for manually patching out calls to certifi.where(), etc, which should not be needed anymore after step 1 above was done.

Link to lists of pkgbase values:

Filter Todo List Packages

Select filter criteria
24 packages displayed out of 24 total packages.
Arch Repository Name Current Version Staging Version Maintainers Status Last Touched By
any Extra flyspray Complete arojas
x86_64 Extra gitlab 17.7.0-1 alerque Incomplete
x86_64 Extra gnustep-base 1.30.0-1 Incomplete
any Extra jython 2.7.4-2 felixonmars Incomplete
x86_64 Extra kodi 21.1-4 idevolder Complete idevolder
x86_64 Extra metasploit 6.4.41-1 anthraxx, kpcyrd Incomplete
any Extra mitmproxy 11.0.2-1 felixonmars, kpcyrd Incomplete
x86_64 Extra opensips 3.4.2-1 spupykin Complete spupykin
any Extra perl-lwp-protocol-https 6.14-2 felixonmars Complete felixonmars
any Extra perl-mozilla-ca 20240924-1 Complete felixonmars
any Extra phpmyadmin 5.2.1-2 spupykin Complete spupykin
any Extra python-aiogram 3.16.0-1 felixonmars, carsme Incomplete
any Extra python-botocore 1.35.36-2 yan12125 Complete yan12125
any Extra python-certifi 2024.12.14-1 felixonmars, dvzrv, carsme Complete dvzrv
any Extra python-elasticsearch 8.17.0-1 carsme Incomplete carsme
x86_64 Extra python-elasticsearch-curator anthraxx Complete polyzen
any Extra python-google-auth 2.36.1-2 lfleischer Incomplete
x86_64 Extra python-kivy 2.3.0-3 FFY00 Incomplete
any Extra python-pip 24.3.1-2 dvzrv, gromit Complete dvzrv
any Extra python-pipenv 2024.4.0-2 andrewSC, Foxboron Complete andrewSC
any Extra python-requests 2.32.3-4 anthraxx, polyzen Complete polyzen
any Extra python-virtualenv 20.27.1-4 grawlinson Complete grawlinson
any Extra ruby-httpclient 2.8.3-11 bastelfreak Incomplete
x86_64 Extra vagrant 2.4.3-1 Segaja Incomplete