[arch-general] root CA certificates bundle

[Dimitrios Apostolou]

Hello list, 

In the past I had set-up some software I use (mpop) to read the root CAs 
certificates from  /usr/share/curl/curl-ca-bundle.crt but it seems that some 
update broke that. I could easily find an alternative, since many archlinux 
packages come with their own CA cert bundle but it reminded me I wanted to 
post about it...

I think it would be better if archlinux had its own CA-certificate-bundle 
package, and all appropriate packages used that one. As a start we could use 
the file provided by curl or firefox, wrap it in its own package, and force 
its installation in every system. 

Of course this raises important issues concerning security, like how to 
distribute such a package since plain HTTP downloads (and without any 
signature verification) that pacman uses are insecure. The problem surely 
existed before, it's just that creating such a package mandates a solution. 
Nobody wants to have forged CA root certificates... Undoubtedly the safest is 
to include it once in the install CDs and never update it through the web, it 
seems pretty impossible though. So what do you think? 


Thanks, 
Dimitris