In the Fedora's python-certifi package, we patch the logic to not use the bundled root certificate, but the system one instead: https://src.fedoraproject.org/rpms/python-certifi/blob/master/f/certifi-2018.10.15-use-system-cert.patch https://src.fedoraproject.org/rpms/python-certifi/blob/f27/f/python-certifi.spec#_71 (using f27 branch here to have a stable line number) python-pip bundles it's own certifi (and for multiple reasons we don't unbundle stuff from pip), pipenv bundles a patched version of pip. We should make sure to apply the same patch in both. certifi is a (rather insecure) hack for platforms that don't have a good central location for the root certificates, we should not be using their pem cerificate from pip or pipenv.
https://src.fedoraproject.org/rpms/python-pip/pull-request/21
What's the status of that?
The PR broke virtualenv. I've fixed it upstream. Needs backport. If you'd like to help, propose a Fedora python-virtualenv PR. Or I'll get to it tomorrow. Details in: https://src.fedoraproject.org/rpms/python-pip/pull-request/21 And https://github.com/pypa/virtualenv/pull/1252
https://src.fedoraproject.org/rpms/python-virtualenv/pull-request/7
https://src.fedoraproject.org/rpms/pipenv/pull-request/7