Hi all, because I can't send this to the arch-dev-public mailing list I will send this here: In my opinion, only because Debian drops the support for something this doesn't mean that we should do the same. And if you look at the Bugreport you will notice that the Information on which Debian is basing their argumentation is old. For more current information you can see: (sorry I know it's on German) http://www.heise.de/netze/meldung/CAcert-reagiert-auf-Zertifikatsrauswurf-21... Or http://wiki.cacert.org/Roots/EscrowAndRecovery/NRE which isn't so detailed, but should be up to date. Greetings, Neal
Hi all,
Debian has decided to drop the root certificate of CAcert.org they used to ship with their ca-certificates package. As our pacakge is based on Debian's the latest ca-certficates package in [testing] also lack the CAcert certificate.
If we intent to keep it that way we should also remove the patch from our nss package: https://projects.archlinux.de/svntogit/packages.git/tree/trunk/add_spi+cacer...
The Debian bug report can be found at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434
I added the certs to our bundles in 2009. Unfortunately there is no visible progress regarding their inclusion in browsers from Mozilla, Google and Microsoft.
Realistically I cannot vouch for any of the CAs we ship. That's one reason why we push that responsibility upstream to e.g. the Debian project or Mozilla.
What do you think? Imho we should keep follow Debian here. Other solutions would be to patch it back in or ship a separate optional package; though that might be impossible for nss.
Greetings,
Pierre
-- Pierre Schmitz, https://pierre-schmitz.com <https://pierre-schmitz.com/>