Arch Linux

What is the actual request here?
To include these certs as part of the base distro?

I'd think make a package and place a hint about it in the .install messages of, say, curl and wget.
Or make it part of the openssl pkg.

Did someone work on it? IIRC there was some discussions on ML.

I really don't think we want to get into cert authority verification.
That should not be our job.

If openssl includes it, then we can.
If someone wants it in aur or community as a package, then that is fine too.

However, I don't think we should be including such things in the base distro.

That is my stance, and that is all I will say about my opinion on this issue.

This is hard to grok. As I understand things, we already ship some certs in the openssl package. These are "extra" certs that aren't part of those, correct?

If that is the case I *do* agree with cactus, but, with arch being a "general purpose" distro, I could see this being a nice addition for some. I will suggest the following course of action: create an AUR package, get it moved to community, then we can see based on popularity and general vote if we should promote it up to the real repos.

Deal?

I'm sort of in the middle. I agree that including it in the openssl package is too much, but I think if anyone wanted to put a package into any repo (ie. extra, aur, or community) then that'd be fine. It's optional in that you're not required to install it, but it's easily available to anyone who wants it.

@phrakture:
> As I understand things, we already ship some certs in the openssl package.
No, we don't.

Mozilla-Foo installs its own certs, those are everywhere.
And JGC recently modified some Java stuff to also include certs, IIRC.
And then there's /usr/share/curl/curl-ca-bundle.crt that's apparently of no use whatsoever so far, it's just 'data'.

As this is 'my' FR, I'm fine with closing this as deferred. Once I've figured something out, e.g. having a PKGBUILD ready, I'll post again.

Erm... in short: Yes, Deal! ;)

KDE and Opera also come with certs, btw.

I have a working PKGBUILD for this that was created by porting Gentoo's ebuild. I'm not sure of the correct procedure, so I will just attach it and the associated .install file. I'm not really interested in maintaining this, but from reading the comments here, I thought it might save someone some effort.

I am attaching a new set of files as I, naively, used a custom variable in the source array in the original PKGBUILD. The install file hasn't changed, but I'll include it for completeness. I will submit the package to the AUR in the network category. I finally read through all the relevant documentation today, and now know the correct procedure. :)

OK, last update. I promise. :)

I've completely removed all custom variables from the PKGBUILD and have submitted it to the AUR.

You can find it here: http://aur.archlinux.org/packages.php?do_Details=1&ID=15233

i think it got deleted from the AUR/ mind uploading it here?

Because the openssl package does not provide any certificates anymore I have made a ca-certificates package based on the one from Debian. This includes the root cert from cacert, too. It's in testing right now.

Will any packages depend on those certificates? Will it be in base? The current PKGBUILD doesnt have a group.