[arch-general] root CA certificates bundle

Aaron Griffin aaronmgriffin at gmail.com
Tue Apr 29 23:34:42 EDT 2008

On Tue, Apr 29, 2008 at 8:03 PM, Aaron Schaefer <aaron at elasticdog.com> wrote:
> On Tue, Apr 29, 2008 at 8:53 PM, Dimitrios Apostolou <jimis at gmx.net> wrote:
>  > Hello list,
>  >
>  >  In the past I had set-up some software I use (mpop) to read the root CAs
>  >  certificates from  /usr/share/curl/curl-ca-bundle.crt but it seems that some
>  >  update broke that. I could easily find an alternative, since many archlinux
>  >  packages come with their own CA cert bundle but it reminded me I wanted to
>  >  post about it...
>  >
>  >  I think it would be better if archlinux had its own CA-certificate-bundle
>  >  package, and all appropriate packages used that one. As a start we could use
>  >  the file provided by curl or firefox, wrap it in its own package, and force
>  >  its installation in every system.
>  >
>  >  Of course this raises important issues concerning security, like how to
>  >  distribute such a package since plain HTTP downloads (and without any
>  >  signature verification) that pacman uses are insecure. The problem surely
>  >  existed before, it's just that creating such a package mandates a solution.
>  >  Nobody wants to have forged CA root certificates... Undoubtedly the safest is
>  >  to include it once in the install CDs and never update it through the web, it
>  >  seems pretty impossible though. So what do you think?
>  >
>  >
>  >  Thanks,
>  >  Dimitris
>  +1  I definitely agree that it would be nice to have these in a
>  package that would install to a place where it could be reliably
>  found.  I've had to track down these bundles for various reasons
>  myself.

Something like this?

More information about the arch-general mailing list