Hey, Ryan Sleevi, who's working on Chromium and is familiar with other project's Root Cert programs has written an article on how he perceives assorted distributions handle Root CAs:
https://plus.google.com/u/0/105761279104103278252/posts/eVdB6X3NpPg """ [...] Debian: From [5]. According to README.debian, to get a CA included, all you need is two or three people to support you. Gentoo: From [6] Same as Debian. Note they also modify other packages (such as dev-libs/nss) to inject root certs into other programs' root stores. [...] References: [5] http://packages.debian.org/squeeze/all/ca-certificates [6] http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-misc/ca-certificates/ """ Now before you reply, RTFA. Also note that while my own opinion on the matter is irrelevant, I _do_ think that his concerns need to be addressed, particularly the second half of his statement. Regards, Tobias