On Mittwoch, 30. April 2008 02:53 Dimitrios Apostolou wrote: > In the past I had set-up some software I use (mpop) to read the root CAs > certificates from /usr/share/curl/curl-ca-bundle.crt but it seems that some > update broke that. I could easily find an alternative, since many archlinux > packages come with their own CA cert bundle but it reminded me I wanted to > post about it... Could it be that the most problem is that /etc/ssl/certs is empty? From my view this should be the number one place for certs and every application know where it has to search if it needs one. Is there a reason why we don't package the standard root certificates from openssl? I take a look at how opensuse do this and they use the certs from the source file of openssl. > Of course this raises important issues concerning security, like how to > distribute such a package since plain HTTP downloads (and without any > signature verification) that pacman uses are insecure. The problem surely > existed before, it's just that creating such a package mandates a solution. > Nobody wants to have forged CA root certificates... Undoubtedly the safest > is to include it once in the install CDs and never update it through the > web, it seems pretty impossible though. So what do you think? Nice idea about that pacman can use certificates. See you, Attila
