Index: introduction/welcome/changelog.xml
===================================================================
--- introduction/welcome/changelog.xml (revision 5a8c6008bfb36c19551ab8b475981c3fb29e7926)
+++ introduction/welcome/changelog.xml (revision 012af225d4d14d6c4e896ab13b55ef9138e481c7)
@@ -40,4 +40,15 @@
-->
+ December 1st, 2022
+
+
+ [ken] - Add page explaining how to use the system CA
+ Certificates with the vendored Python pip installed in LFS. Fixes
+ #17354.
+
+
+
+
+
November 30th, 2022
Index: postlfs/security/make-ca.xml
===================================================================
--- postlfs/security/make-ca.xml (revision 5a8c6008bfb36c19551ab8b475981c3fb29e7926)
+++ postlfs/security/make-ca.xml (revision 012af225d4d14d6c4e896ab13b55ef9138e481c7)
@@ -275,4 +275,67 @@
+
+ Using make-ca with Python3
+
+
+ When Python3 was installed in LFS it included
+ the pip3 module with vendored certificates
+ from the Certifi module. That was necessary,
+ but it means that whenever pip3 is used it can reference
+ those certificates, primarily when creating a virtual environment or when
+ installing a module with all its wheel dependencies in one go.
+
+
+
+ It is generally considered that the System Administrator should be in
+ charge of which certificates are available. Now that and have been installed and
+ make-ca has been configured, it is possible to
+ make pip3 use the system certificates.
+
+
+
+ The vendored certificates installed in LFS are a snapshot from when the
+ pulled-in version of Certifi was created. If
+ you regularly update the system certificates, the vendored version will
+ become out of date.
+
+
+
+ To use the system certificates in Python3 you
+ should set _PIP_STANDALONE_CERT to point to them, e.g for
+ the bash shell:
+
+
+export _PIP_STANDALONE_CERT=/etc/pki/tls/certs/ca-bundle.crt
+
+
+
+ If you have created virtual environments, for example when testing modules,
+ and those include the Requests and
+ Certifi modules in ~/.local/lib/python3.11/ then those local
+ modules will be used instead of the system certificates unless you
+ remove the local modules.
+
+
+
+
+ To use the system certificates in Python3 with
+ the BLFS profiles add the following variable to your system or personal
+ profiles:
+
+
+
+cat > /etc/profile.d/pythoncerts.sh << "EOF"
+# Begin /etc/profile.d/pythoncerts.sh
+
+export _PIP_STANDALONE_CERT=/etc/pki/tls/certs/ca-bundle.crt
+
+# End /etc/profile.d/pythoncerts.sh
+EOF
+
+
+
Contents