Yeah, this is why I keep coming back to wanting to start managing parts of the stdlib as separately-updateable packages, like Ruby does (see also). We can’t put certifi in the stdlib because it needs regular updates. We could put truststore (or equivalent) in the stdlib, but even if someone shows up to do the work in time to ship it in 3.12, pip won’t be able to rely on it until 3.11 hits EOL in 2027 – and it’s entirely possible that by 2027 the truststore approach will be obsolete and we’ll be having this conversation again about whatever the new thing is.
OTOH if we could ship ssl patches through PyPI, independently from cpython releases, all these issues would be so much more tractable. Our overly-rigid stdlib is the root cause of a lot of problems.