[arch-general] root CA certificates bundle
jimis at gmx.net
Tue Apr 29 20:53:55 EDT 2008
In the past I had set-up some software I use (mpop) to read the root CAs
certificates from /usr/share/curl/curl-ca-bundle.crt but it seems that some
update broke that. I could easily find an alternative, since many archlinux
packages come with their own CA cert bundle but it reminded me I wanted to
post about it...
I think it would be better if archlinux had its own CA-certificate-bundle
package, and all appropriate packages used that one. As a start we could use
the file provided by curl or firefox, wrap it in its own package, and force
its installation in every system.
Of course this raises important issues concerning security, like how to
distribute such a package since plain HTTP downloads (and without any
signature verification) that pacman uses are insecure. The problem surely
existed before, it's just that creating such a package mandates a solution.
Nobody wants to have forged CA root certificates... Undoubtedly the safest is
to include it once in the install CDs and never update it through the web, it
seems pretty impossible though. So what do you think?
More information about the arch-general