On Mittwoch, 30. April 2008 02:53 Dimitrios Apostolou wrote:
In the past I had set-up some software I use (mpop) to read the root CAs certificates from /usr/share/curl/curl-ca-bundle.crt but it seems that some update broke that. I could easily find an alternative, since many archlinux packages come with their own CA cert bundle but it reminded me I wanted to post about it...
Could it be that the most problem is that /etc/ssl/certs is empty? From my view this should be the number one place for certs and every application know where it has to search if it needs one. Is there a reason why we don't package the standard root certificates from openssl? I take a look at how opensuse do this and they use the certs from the source file of openssl.
Of course this raises important issues concerning security, like how to distribute such a package since plain HTTP downloads (and without any signature verification) that pacman uses are insecure. The problem surely existed before, it's just that creating such a package mandates a solution. Nobody wants to have forged CA root certificates... Undoubtedly the safest is to include it once in the install CDs and never update it through the web, it seems pretty impossible though. So what do you think?
Nice idea about that pacman can use certificates. See you, Attila