[arch-dev-public] CAcert dropped from certificate bundle

Bartłomiej Piotrowski b at bpiotrowski.pl
Sun Mar 16 06:06:07 EDT 2014

On 03/14/2014 06:14 PM, Pierre Schmitz wrote:
> Hi all,
> Debian has decided to drop the root certificate of CAcert.org they used
> to ship with their ca-certificates package. As our pacakge is based on
> Debian's the latest ca-certficates package in [testing] also lack the
> CAcert certificate.
> If we intent to keep it that way we should also remove the patch from
> our nss package: 
> https://projects.archlinux.de/svntogit/packages.git/tree/trunk/add_spi+cacert_ca_certs.patch?h=packages/nss
> The Debian bug report can be found at
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434
> I added the certs to our bundles in 2009. Unfortunately there is no
> visible progress regarding their inclusion in browsers from Mozilla,
> Google and Microsoft.
> Realistically I cannot vouch for any of the CAs we ship. That's one
> reason why we push that responsibility upstream to e.g. the Debian
> project or Mozilla.
> What do you think? Imho we should keep follow Debian here. Other
> solutions would be to patch it back in or ship a separate optional
> package; though that might be impossible for nss.
> Greetings,
> Pierre

Seems that Debian can't vouch for its CAs either… However it's not hard
to obtain a legitimate free SSL certificate from StartSSL or GlobalSign,
so let's keep following Debian in that matter.

Users still can import CACert root certificate on their own.

Bartłomiej Piotrowski

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20140316/3b14ea96/attachment.asc>

More information about the arch-dev-public mailing list