[arch-dev-public] introducing ca-certificates

Jan de Groot jan at jgc.homeip.net
Wed Jun 4 03:05:42 EDT 2008

On Tue, 2008-06-03 at 22:09 +0200, Pierre Schmitz wrote:
> Am Montag 02 Juni 2008 02:43:19 schrieb Dan McGee:
> > Is this maybe even core/support material?
> I am still undecided how to handle this. We have several options:
> 1) Make ca-certificates a depend of openssl. This will restore the behaviour 
>    before the openssl project removed their own certs. Those packages using
>    their own bundle (like curl) should be update to use this one instead.
> 2) Add this package as a dependency to browser and other appy which use 
>    openssl
> 3) Don't do anything and put it as an optional package into extra
> As I said I have no strong oppinion about this. Maybe option 1 would be the 
> best because it does not change the current behaviour too much and browsers 
> wouldn't complain about untrusted certs when the new openssl package is moved 
> to core.

Option 1 looks good to me. Note that browsers usually have their
internal ca certificates included. Mozilla products store them in the
nss library, kdelibs contains its own ca-bundle.crt
in /opt/kde/share/apps/kssl/.

Option 2 is required for anything that installs its own ca-bundle.
Examples of these are curl, kdelibs, java-gcj-compat and nss. The last
two of these require hooks in /etc/ca-certificates/update.d/ to
regenerate their certificate database on any change/update to

More information about the arch-dev-public mailing list