In the past I had set-up some software I use (mpop) to read the root CAs certificates from /usr/share/curl/curl-ca-bundle.crt but it seems that some update broke that. I could easily find an alternative, since many archlinux packages come with their own CA cert bundle but it reminded me I wanted to post about it...
I think it would be better if archlinux had its own CA-certificate-bundle package, and all appropriate packages used that one. As a start we could use the file provided by curl or firefox, wrap it in its own package, and force its installation in every system.
Of course this raises important issues concerning security, like how to distribute such a package since plain HTTP downloads (and without any signature verification) that pacman uses are insecure. The problem surely existed before, it's just that creating such a package mandates a solution. Nobody wants to have forged CA root certificates... Undoubtedly the safest is to include it once in the install CDs and never update it through the web, it seems pretty impossible though. So what do you think?