[arch-general] root CA certificates bundle
Hello list, In the past I had set-up some software I use (mpop) to read the root CAs certificates from /usr/share/curl/curl-ca-bundle.crt but it seems that some update broke that. I could easily find an alternative, since many archlinux packages come with their own CA cert bundle but it reminded me I wanted to post about it... I think it would be better if archlinux had its own CA-certificate-bundle package, and all appropriate packages used that one. As a start we could use the file provided by curl or firefox, wrap it in its own package, and force its installation in every system. Of course this raises important issues concerning security, like how to distribute such a package since plain HTTP downloads (and without any signature verification) that pacman uses are insecure. The problem surely existed before, it's just that creating such a package mandates a solution. Nobody wants to have forged CA root certificates... Undoubtedly the safest is to include it once in the install CDs and never update it through the web, it seems pretty impossible though. So what do you think? Thanks, Dimitris
On Tue, Apr 29, 2008 at 8:53 PM, Dimitrios Apostolou <jimis@gmx.net> wrote:
+1 I definitely agree that it would be nice to have these in a package that would install to a place where it could be reliably found. I've had to track down these bundles for various reasons myself. Aaron "ElasticDog" Schaefer --
On Tue, Apr 29, 2008 at 8:03 PM, Aaron Schaefer <aaron@elasticdog.com> wrote:
Something like this? http://bugs.archlinux.org/task/7912
On Wednesday 30 April 2008 06:34:42 Aaron Griffin wrote:
Something like this? http://bugs.archlinux.org/task/7912
Yes, the issue is the same. However I believe that we must find a better solution than just moving the debian or gentoo package to arch, and simply installing it via pacman. Thanks, Dimitris
On Mittwoch, 30. April 2008 02:53 Dimitrios Apostolou wrote:
Could it be that the most problem is that /etc/ssl/certs is empty? From my view this should be the number one place for certs and every application know where it has to search if it needs one. Is there a reason why we don't package the standard root certificates from openssl? I take a look at how opensuse do this and they use the certs from the source file of openssl.
Nice idea about that pacman can use certificates. See you, Attila
participants (4)
-
Aaron Griffin
-
Aaron Schaefer
-
Attila
-
Dimitrios Apostolou