While hacking on Anitya yesterday, an idea occurred to me that may help address the SSL/TLS cert bundling problem in a way that doesn't require patching of modules and hence can be made compatible with virtual environments.
Specifically, I had the idea of adding a new "--symlink <file-pattern>@<link-target>" option to pip, such that you could do things like:
"pip install -r requirements.txt --symlink cacerts.txt@/etc/pki/tls/certs/ca-bundle.crt"
to replace any file called "cacerts.txt" in the packages being installed with a symlink to "/etc/pki/tls/certs/ca-bundle.crt" instead (cacerts.txt is the name httplib2 uses for its cert bundle).
Since we patch `python3-certifi` to use the system bundle, and running `certifi` as a script prints the location of the cert bundle it is using, that would mean you could do things like:
sudo dnf install python3-certifi
python -m pip install requests --symlink cacert.pem@`/usr/bin/python3 -m certifi`
and end up with an *unpatched* requests in the virtual environment that was nevertheless still using the system certificate store.
I filed that idea on the pip issue tracker at
https://github.com/pypa/pip/issues/4197 but figured I should raise it here as well, as if something like this was added, then Fedora could be updated to use a standard symlink map when building RPMs, and the developer portal could be updated with suggest `pip.conf` settings to use the system cert bundle by default.
Cheers,