Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#39671 - [ca-certificates] Add cacert.org root certificates

Attached to Project: Arch Linux
Opened by Oskar Hahn (ostcar) - Saturday, 29 March 2014, 06:16 GMT
Last edited by Jan de Groot (JGC) - Wednesday, 02 April 2014, 11:23 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Archlinux uses the certificates from Debian, but debian removed CACert.
This task depends upon

Closed by  Jan de Groot (JGC)
Wednesday, 02 April 2014, 11:23 GMT
Reason for closing:  Won't implement
Comment by Pierre Schmitz (Pierre) - Saturday, 29 March 2014, 07:50 GMT
See https://mailman.archlinux.org/pipermail/arch-dev-public/2014-March/025977.html
Comment by henning mueller (phects) - Saturday, 29 March 2014, 09:25 GMT
I would like to see the CAcert root certificates re-included, too!
Comment by Pierre Schmitz (Pierre) - Saturday, 29 March 2014, 09:43 GMT
I neither can nor want I decide what CA is trustworthy. For all I know none can be trusted.

So we simply ship whatever Mozilla does.

It's simple enough to import your own set of certificates. See "man 8 update-ca-certificates".
Comment by Bartłomiej Piotrowski (Barthalion) - Saturday, 29 March 2014, 16:02 GMT
I'm doing something wrong or update-ca-certificates doesn't do what it should.


# ls /usr/local/share/ca-certificates
cacert-class3.crt cacert-root.crt
# update-ca-certificates
Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
Comment by (webmeister) - Saturday, 29 March 2014, 21:45 GMT
Could you at least include the CAcert root certificate in the package, but leave it disabled in /etc/ca-certificates.conf? This way you do not guarantee that CAcert creates good certificates, but only that this root certificate indeed belongs to CAcert.

Then users can easily decide for themselves whether they want to trust CAcert or not. But they do not have the problem anymore of getting the root certificate over a secure channel, as the signed Arch package serves as a secure channel.
Comment by Daniel Micay (thestinger) - Sunday, 30 March 2014, 02:08 GMT
I don't think we should include a CA explicitly rejected by Mozilla. Just take a look at their fragile PHP source code building SQL statements by hand... If and when they perform/pass an audit by getting their stuff together, Mozilla will be happy to include it as a trusted CA. It seems silly for anyone to be using them, because the certificates aren't included on the operating systems or browsers used by the vast majority of users. You don't need CAcert to get a free SSL certificate from a CA shipped by Arch Linux.

Loading...