[arch-general] [arch-dev-public] CAcert dropped from certificate bundle

Neal Oakey neal.oakey at googlemail.com
Wed Apr 2 05:44:58 EDT 2014


Hi all,

because I can't send this to the arch-dev-public mailing list I will
send this here:

In my opinion, only because Debian drops the support for something this
doesn't mean that we should do the same.

And if you look at the Bugreport you will notice that the Information on
which Debian is basing their argumentation is old.

For more current information you can see: (sorry I know it's on German)
http://www.heise.de/netze/meldung/CAcert-reagiert-auf-Zertifikatsrauswurf-2156226.html

Or http://wiki.cacert.org/Roots/EscrowAndRecovery/NRE which isn't so
detailed, but should be up to date.

Greetings,
Neal

> Hi all,
>
> Debian has decided to drop the root certificate of CAcert.org they used
> to ship with their ca-certificates package. As our pacakge is based on
> Debian's the latest ca-certficates package in [testing] also lack the
> CAcert certificate.
>
> If we intent to keep it that way we should also remove the patch from
> our nss package: 
> https://projects.archlinux.de/svntogit/packages.git/tree/trunk/add_spi+cacert_ca_certs.patch?h=packages/nss
>
> The Debian bug report can be found at
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434
>
> I added the certs to our bundles in 2009. Unfortunately there is no
> visible progress regarding their inclusion in browsers from Mozilla,
> Google and Microsoft.
>
> Realistically I cannot vouch for any of the CAs we ship. That's one
> reason why we push that responsibility upstream to e.g. the Debian
> project or Mozilla.
>
> What do you think? Imho we should keep follow Debian here. Other
> solutions would be to patch it back in or ship a separate optional
> package; though that might be impossible for nss.
>
> Greetings,
>
> Pierre
>
> -- 
> Pierre Schmitz, https://pierre-schmitz.com <https://pierre-schmitz.com/>
>






More information about the arch-general mailing list