On Tue, Apr 29, 2008 at 8:03 PM, Aaron Schaefer <aaron@xxxxxxxxxxxxxx> wrote: > > On Tue, Apr 29, 2008 at 8:53 PM, Dimitrios Apostolou <jimis@xxxxxxx> wrote: > > Hello list, > > > > In the past I had set-up some software I use (mpop) to read the root CAs > > certificates from /usr/share/curl/curl-ca-bundle.crt but it seems that some > > update broke that. I could easily find an alternative, since many archlinux > > packages come with their own CA cert bundle but it reminded me I wanted to > > post about it... > > > > I think it would be better if archlinux had its own CA-certificate-bundle > > package, and all appropriate packages used that one. As a start we could use > > the file provided by curl or firefox, wrap it in its own package, and force > > its installation in every system. > > > > Of course this raises important issues concerning security, like how to > > distribute such a package since plain HTTP downloads (and without any > > signature verification) that pacman uses are insecure. The problem surely > > existed before, it's just that creating such a package mandates a solution. > > Nobody wants to have forged CA root certificates... Undoubtedly the safest is > > to include it once in the install CDs and never update it through the web, it > > seems pretty impossible though. So what do you think? > > > > > > Thanks, > > Dimitris > > > +1 I definitely agree that it would be nice to have these in a > package that would install to a place where it could be reliably > found. I've had to track down these bundles for various reasons > myself. Something like this? http://bugs.archlinux.org/task/7912
