On 03/14/2014 06:14 PM, Pierre Schmitz wrote: > Hi all, > > Debian has decided to drop the root certificate of CAcert.org they used > to ship with their ca-certificates package. As our pacakge is based on > Debian's the latest ca-certficates package in [testing] also lack the > CAcert certificate. > > If we intent to keep it that way we should also remove the patch from > our nss package: > https://projects.archlinux.de/svntogit/packages.git/tree/trunk/add_spi+cacert_ca_certs.patch?h=packages/nss > > The Debian bug report can be found at > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434 > > I added the certs to our bundles in 2009. Unfortunately there is no > visible progress regarding their inclusion in browsers from Mozilla, > Google and Microsoft. > > Realistically I cannot vouch for any of the CAs we ship. That's one > reason why we push that responsibility upstream to e.g. the Debian > project or Mozilla. > > What do you think? Imho we should keep follow Debian here. Other > solutions would be to patch it back in or ship a separate optional > package; though that might be impossible for nss. > > Greetings, > > Pierre >
Seems that Debian can't vouch for its CAs either… However it's not hard to obtain a legitimate free SSL certificate from StartSSL or GlobalSign, so let's keep following Debian in that matter. Users still can import CACert root certificate on their own. -- Bartłomiej Piotrowski http://bpiotrowski.pl/
signature.asc
Description: OpenPGP digital signature
