From c75c71ee16cf8b7b19202c8ff32edb9999904a6b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
Date: Mon, 3 Dec 2018 16:46:56 +0100
Subject: [PATCH] Use the system level root certificate instead of the one
 bundled in certifi

https://bugzilla.redhat.com/show_bug.cgi?id=1655253
---
 dummy-certifi.patch | 15 +++++++++++++++
 python-pip.spec     | 19 ++++++++++++++++++-
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 dummy-certifi.patch

diff --git a/dummy-certifi.patch b/dummy-certifi.patch
new file mode 100644
index 0000000..1178c76
--- /dev/null
+++ b/dummy-certifi.patch
@@ -0,0 +1,15 @@
+diff --git a/src/pip/_vendor/certifi/core.py b/src/pip/_vendor/certifi/core.py
+index eab9d1d..30db215 100644
+--- a/src/pip/_vendor/certifi/core.py
++++ b/src/pip/_vendor/certifi/core.py
+@@ -19,9 +19,7 @@ class DeprecatedBundleWarning(DeprecationWarning):
+ 
+ 
+ def where():
+-    f = os.path.dirname(__file__)
+-
+-    return os.path.join(f, 'cacert.pem')
++    return '/etc/pki/tls/certs/ca-bundle.crt'
+ 
+ 
+ def old_where():
diff --git a/python-pip.spec b/python-pip.spec
index 63490df..ae600c0 100644
--- a/python-pip.spec
+++ b/python-pip.spec
@@ -23,7 +23,7 @@ Name:           python-%{srcname}
 # When updating, update the bundled libraries versions bellow!
 # You can use vendor_meta.sh in the dist git repo
 Version:        18.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A tool for installing and managing Python packages
 
 # We bundle a lot of libraries with pip, which itself is under MIT license.
@@ -95,6 +95,10 @@ Patch2:         html_theme_path.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1550368#c24
 Patch3:         remove-existing-dist-only-if-path-conflicts.patch
 
+# Use the system level root certificate instead of the one bundled in certifi
+# https://bugzilla.redhat.com/show_bug.cgi?id=1655253
+Patch4:         dummy-certifi.patch
+
 # Downstream only patch
 # Users might have local installations of pip from using
 # `pip install --user --upgrade pip` on older versions.
@@ -168,6 +172,8 @@ BuildRequires:  python2-pyyaml
 BuildRequires:  python2-pip
 BuildRequires:  python2-wheel
 %endif
+BuildRequires:  ca-certificates
+Requires:       ca-certificates
 Requires:       python2-setuptools
 
 # Virtual provides for the packages bundled by pip:
@@ -203,6 +209,8 @@ BuildRequires:  python%{python3_pkgversion}-pyyaml
 BuildRequires:  python%{python3_pkgversion}-pip
 BuildRequires:  python%{python3_pkgversion}-wheel
 %endif
+BuildRequires:  ca-certificates
+Requires:       ca-certificates
 Requires:  python%{python3_pkgversion}-setuptools
 
 # Virtual provides for the packages bundled by pip:
@@ -230,6 +238,7 @@ A documentation for a tool for installing and managing Python packages
 %if %{without bootstrap}
 %package wheel
 Summary:        The pip wheel
+Requires:       ca-certificates
 
 # Virtual provides for the packages bundled by pip:
 %{bundled 2}
@@ -257,6 +266,11 @@ popd
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
+
+# this goes together with patch4
+rm src/pip/_vendor/certifi/*.pem
+sed -i '/\.pem$/d' src/pip.egg-info/SOURCES.txt
 
 
 %build
@@ -464,6 +478,9 @@ ln -sf %{buildroot}%{_bindir}/pip3 _bin/pip
 %endif
 
 %changelog
+* Mon Dec 03 2018 Miro Hrončok <mhroncok@redhat.com> - 18.1-2
+- Use the system level root certificate instead of the one bundled in certifi
+
 * Thu Nov 22 2018 Miro Hrončok <mhroncok@redhat.com> - 18.1-1
 - Update to 18.1 (#1652089)