Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#7912 - include SSL root certificates by default

Attached to Project: Arch Linux
Opened by Jens Adam (byte) - Thursday, 30 August 2007, 02:06 GMT
Last edited by Pierre Schmitz (Pierre) - Friday, 06 June 2008, 08:52 GMT
Task Type Feature Request
Category Security
Status Closed
Assigned To Dale Blount (dale)
Jason Chu (jason)
Pierre Schmitz (Pierre)
Aaron Griffin (phrakture)
Architecture All
Severity Low
Priority Normal
Reported Version 2007.08 Don't Panic
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No
This task depends upon

Closed by  Pierre Schmitz (Pierre)
Friday, 06 June 2008, 08:52 GMT
Reason for closing:  Implemented
Additional comments about closing:  Finally this task is implemented. ca-certificates is now in [core] and openssl depends on it. Next steps would be updateing kde, mozilla etc. to use those certs, too.
Comment by eliott (cactus) - Tuesday, 04 September 2007, 06:38 GMT
What is the actual request here?
To include these certs as part of the base distro?
Comment by Jens Adam (byte) - Tuesday, 04 September 2007, 12:58 GMT
I'd think make a package and place a hint about it in the .install messages of, say, curl and wget.
Or make it part of the openssl pkg.
Comment by Roman Kyrylych (Romashka) - Saturday, 09 February 2008, 17:19 GMT
Did someone work on it? IIRC there was some discussions on ML.
Comment by eliott (cactus) - Tuesday, 12 February 2008, 19:22 GMT
I really don't think we want to get into cert authority verification.
That should not be our job.

If openssl includes it, then we can.
If someone wants it in aur or community as a package, then that is fine too.

However, I don't think we should be including such things in the base distro.

That is my stance, and that is all I will say about my opinion on this issue.
Comment by Aaron Griffin (phrakture) - Tuesday, 12 February 2008, 19:27 GMT
This is hard to grok. As I understand things, we already ship some certs in the openssl package. These are "extra" certs that aren't part of those, correct?

If that is the case I *do* agree with cactus, but, with arch being a "general purpose" distro, I could see this being a nice addition for some. I will suggest the following course of action: create an AUR package, get it moved to community, then we can see based on popularity and general vote if we should promote it up to the real repos.

Comment by Jason Chu (jason) - Tuesday, 12 February 2008, 19:31 GMT
I'm sort of in the middle. I agree that including it in the openssl package is too much, but I think if anyone wanted to put a package into any repo (ie. extra, aur, or community) then that'd be fine. It's optional in that you're not required to install it, but it's easily available to anyone who wants it.
Comment by Jens Adam (byte) - Tuesday, 12 February 2008, 19:59 GMT
> As I understand things, we already ship some certs in the openssl package.
No, we don't.

Mozilla-Foo installs its own certs, those are everywhere.
And JGC recently modified some Java stuff to also include certs, IIRC.
And then there's /usr/share/curl/curl-ca-bundle.crt that's apparently of no use whatsoever so far, it's just 'data'.

As this is 'my' FR, I'm fine with closing this as deferred. Once I've figured something out, e.g. having a PKGBUILD ready, I'll post again.
Comment by Jens Adam (byte) - Tuesday, 12 February 2008, 20:00 GMT
Erm... in short: Yes, Deal! ;)
Comment by Jens Adam (byte) - Tuesday, 12 February 2008, 20:02 GMT
KDE and Opera also come with certs, btw.
Comment by Joe Banks (yabbadabbadont) - Saturday, 16 February 2008, 10:16 GMT
I have a working PKGBUILD for this that was created by porting Gentoo's ebuild. I'm not sure of the correct procedure, so I will just attach it and the associated .install file. I'm not really interested in maintaining this, but from reading the comments here, I thought it might save someone some effort.
Comment by Joe Banks (yabbadabbadont) - Sunday, 17 February 2008, 00:12 GMT
I am attaching a new set of files as I, naively, used a custom variable in the source array in the original PKGBUILD. The install file hasn't changed, but I'll include it for completeness. I will submit the package to the AUR in the network category. I finally read through all the relevant documentation today, and now know the correct procedure. :)
Comment by Joe Banks (yabbadabbadont) - Sunday, 17 February 2008, 00:34 GMT
OK, last update. I promise. :)

I've completely removed all custom variables from the PKGBUILD and have submitted it to the AUR.

You can find it here:
Comment by Greg (dolby) - Monday, 05 May 2008, 21:31 GMT
i think it got deleted from the AUR/ mind uploading it here?
Comment by Pierre Schmitz (Pierre) - Monday, 02 June 2008, 08:04 GMT
Because the openssl package does not provide any certificates anymore I have made a ca-certificates package based on the one from Debian. This includes the root cert from cacert, too. It's in testing right now.
Comment by Greg (dolby) - Monday, 02 June 2008, 12:56 GMT
Will any packages depend on those certificates? Will it be in base? The current PKGBUILD doesnt have a group.