Today’s fun turtle-chasing[0] moment was trying to understand how a python application validated TLS certificates. The application relies on the certifi package[1], which is built from the python-certifi github repository[2]. Both of these describe the source of this data as Mozilla, but they actually call an endpoint on the mkcert.org service hosted on Digital Ocean[3], which is built from the Lukasa/mkcert github repository[4]. The mkcert repository uses a Mercurial repository URL hosted by Mozilla[5]. This is fed by Mozilla’s CA inclusion process[6].

Even ignoring the Mozilla CA process, the number of people and companies involved in bringing a static PEM file into your python application is mind-boggling.

0. en.wikipedia.org/wiki/Turtles_

1. pypi.org/project/certifi/

2. github.com/certifi/python-cert

3. mkcert.org/

4. github.com/Lukasa/mkcert

5. hg.mozilla.org/mozilla-central

6. wiki.mozilla.org/CA/Included_C

The unintentional irony of the mkcert.org landing page is 😘