Consider adding (and tracking) the components necessary to produce and update ca-certificates and tzdata

[bureado]

While tzdata and ca-certificates release mostly data instead of source code, they are arguably critical to trust. I suggest adding (and tracking) the "build" dependencies of both.

For example, in Debian-based systems, tzdata not only relies on make (as all Debian packages do) but also on gawk or zic from libc, e.g., https://sources.debian.org/src/tzdata/2021e-1/debian/rules/#L28

Similarly, ca-certificates depends on python3 and the cryptography module, as well as OpenSSL: https://sources.debian.org/src/ca-certificates/20211016/debian/control/#L6

[hyandell]

Both of these feel like they are broader concepts.

"Timezone data and CA Cert packages are critical. List of packages providing each that are popular"

[bureado]

Sure. And while there might be others, the named entities ca-certificates and tzdata are among the most popular packages providing said broader concepts.

[emaste]

Both of these feel like they are broader concepts.

That's true, but the important aspect of this issue IMO is that dependencies of critical (code or data) projects are themselves critical.