[arch-general] root CA certificates bundle

Attila attila at invalid.invalid
Wed Apr 30 01:21:21 EDT 2008


On Mittwoch, 30. April 2008 02:53 Dimitrios Apostolou wrote:

> In the past I had set-up some software I use (mpop) to read the root CAs
> certificates from  /usr/share/curl/curl-ca-bundle.crt but it seems that some
> update broke that. I could easily find an alternative, since many archlinux
> packages come with their own CA cert bundle but it reminded me I wanted to
> post about it...

Could it be that the most problem is that /etc/ssl/certs is empty? From my
view this should be the number one place for certs and every application know
where it has to search if it needs one.

Is there a reason why we don't package the standard root certificates from
openssl? I take a look at how opensuse do this and they use the certs from
the source file of openssl.

> Of course this raises important issues concerning security, like how to
> distribute such a package since plain HTTP downloads (and without any
> signature verification) that pacman uses are insecure. The problem surely
> existed before, it's just that creating such a package mandates a solution.
> Nobody wants to have forged CA root certificates... Undoubtedly the safest
> is to include it once in the install CDs and never update it through the
> web, it seems pretty impossible though. So what do you think?

Nice idea about that pacman can use certificates.

See you, Attila





More information about the arch-general mailing list