While hacking on Anitya yesterday, an idea occurred to me that may help address the SSL/TLS cert bundling problem in a way that doesn't require patching of modules and hence can be made compatible with virtual environments. Specifically, I had the idea of adding a new "--symlink <file-pattern>@<link-target>" option to pip, such that you could do things like: "pip install -r requirements.txt --symlink cacerts.txt@ /etc/pki/tls/certs/ca-bundle.crt" to replace any file called "cacerts.txt" in the packages being installed with a symlink to "/etc/pki/tls/certs/ca-bundle.crt" instead (cacerts.txt is the name httplib2 uses for its cert bundle). Since we patch `python3-certifi` to use the system bundle, and running `certifi` as a script prints the location of the cert bundle it is using, that would mean you could do things like: sudo dnf install python3-certifi python -m pip install requests --symlink cacert.pem@`/usr/bin/python3 -m certifi` and end up with an *unpatched* requests in the virtual environment that was nevertheless still using the system certificate store. I filed that idea on the pip issue tracker at https://github.com/pypa/pip/issues/4197 but figured I should raise it here as well, as if something like this was added, then Fedora could be updated to use a standard symlink map when building RPMs, and the developer portal could be updated with suggest `pip.conf` settings to use the system cert bundle by default. Cheers, Nick. -- Nick Coghlan | ncoghlan(a)gmail.com | Brisbane, Australia