On Sun, Aug 24, 2014 at 11:47 AM, Jan Alexander Steffens < jan.steffens@gmail.com> wrote:
The current issues are: - Mozilla NSS uses its own root store and not /etc/ssl/certs - ca-certificates ships outdated Mozilla roots - Shipping additional roots outside ca-certificates is difficult, requiring patching /etc/ca-certificates.conf
Agreed, the current situation is far from optimal. On a related note currently replacing the libnssckbi.so lib with any other drop-in replacement could be handled better. I have been symlinking /usr/lib/pkcs11/p11-kit-trust.so to /usr/lib/libnssckbi.so to use the trust policy module [1] for quite some time and the only way to not let pacman screw this setup is to add "usr/lib/libnssckbi.so" to both NoUpgrade and NoExtract in pacman.conf. [1] http://p11-glue.freedesktop.org/doc/p11-kit/trust-module.html