[arch-general] [arch-dev-public] CAcert dropped from certificate bundle
Daniel Micay
danielmicay at gmail.com
Wed Apr 2 18:31:23 EDT 2014
On 02/04/14 06:10 PM, David C. Rankin wrote:
> On 04/02/2014 04:44 AM, Neal Oakey wrote:
>> What do you think? Imho we should keep follow Debian here. Other
>>> solutions would be to patch it back in or ship a separate optional
>>> package; though that might be impossible for nss.
>>>
>>> Greetings,
>>>
>>> Pierre
>>>
>
> I usually agree with Pierre, but in this case "Why would we just want to follow
> Deb?" Why not continue to provide CAcert with the info in this thread provided
> as a proviso. No authority is perfect and dropping CAcert seems like a knee-jerk
> response that accomplishes little for Arch or the users.
If CAcert is hacked due to sloppy coding, then Arch users would all be
vulnerable to man-in-the-middle attacks using certificates signed by the
stolen private key. The certificate authority system is far from
perfect, but the ones Mozilla includes need to perform regular audits,
etc. CAcert doesn't meet their standards.
> What would replace that dependency for curl and qt4, or would the functionality
> just be lost?
ca-certificates provides the trusted certificate authorities, and it is
now simply shipping the upstream Mozilla certificate authorities. CAcert
was just one of the certificate authorities, and *not* one of the ones
trusted by Mozilla. Debian/Mozilla are the upstream here, and neither
wants to include CAcert.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140402/684ee92f/attachment-0001.asc>
More information about the arch-general
mailing list