On 02/04/14 06:10 PM, David C. Rankin wrote:
On 04/02/2014 04:44 AM, Neal Oakey wrote:
What do you think? Imho we should keep follow Debian here. Other
solutions would be to patch it back in or ship a separate optional package; though that might be impossible for nss.
Greetings,
Pierre
I usually agree with Pierre, but in this case "Why would we just want to follow Deb?" Why not continue to provide CAcert with the info in this thread provided as a proviso. No authority is perfect and dropping CAcert seems like a knee-jerk response that accomplishes little for Arch or the users.
If CAcert is hacked due to sloppy coding, then Arch users would all be vulnerable to man-in-the-middle attacks using certificates signed by the stolen private key. The certificate authority system is far from perfect, but the ones Mozilla includes need to perform regular audits, etc. CAcert doesn't meet their standards.
What would replace that dependency for curl and qt4, or would the functionality just be lost?
ca-certificates provides the trusted certificate authorities, and it is now simply shipping the upstream Mozilla certificate authorities. CAcert was just one of the certificate authorities, and *not* one of the ones trusted by Mozilla. Debian/Mozilla are the upstream here, and neither wants to include CAcert.