[arch-general] root CA certificates bundle
Aaron Schaefer
aaron at elasticdog.com
Tue Apr 29 21:03:33 EDT 2008
On Tue, Apr 29, 2008 at 8:53 PM, Dimitrios Apostolou <jimis at gmx.net> wrote:
> Hello list,
>
> In the past I had set-up some software I use (mpop) to read the root CAs
> certificates from /usr/share/curl/curl-ca-bundle.crt but it seems that some
> update broke that. I could easily find an alternative, since many archlinux
> packages come with their own CA cert bundle but it reminded me I wanted to
> post about it...
>
> I think it would be better if archlinux had its own CA-certificate-bundle
> package, and all appropriate packages used that one. As a start we could use
> the file provided by curl or firefox, wrap it in its own package, and force
> its installation in every system.
>
> Of course this raises important issues concerning security, like how to
> distribute such a package since plain HTTP downloads (and without any
> signature verification) that pacman uses are insecure. The problem surely
> existed before, it's just that creating such a package mandates a solution.
> Nobody wants to have forged CA root certificates... Undoubtedly the safest is
> to include it once in the install CDs and never update it through the web, it
> seems pretty impossible though. So what do you think?
>
>
> Thanks,
> Dimitris
+1 I definitely agree that it would be nice to have these in a
package that would install to a place where it could be reliably
found. I've had to track down these bundles for various reasons
myself.
Aaron "ElasticDog" Schaefer
--
More information about the arch-general
mailing list