On 02/04/14 06:10 PM, David C. Rankin wrote: > On 04/02/2014 04:44 AM, Neal Oakey wrote: >> What do you think? Imho we should keep follow Debian here. Other >>> solutions would be to patch it back in or ship a separate optional >>> package; though that might be impossible for nss. >>> >>> Greetings, >>> >>> Pierre >>> > > I usually agree with Pierre, but in this case "Why would we just want to > follow > Deb?" Why not continue to provide CAcert with the info in this thread provided > as a proviso. No authority is perfect and dropping CAcert seems like a > knee-jerk > response that accomplishes little for Arch or the users.
If CAcert is hacked due to sloppy coding, then Arch users would all be vulnerable to man-in-the-middle attacks using certificates signed by the stolen private key. The certificate authority system is far from perfect, but the ones Mozilla includes need to perform regular audits, etc. CAcert doesn't meet their standards. > What would replace that dependency for curl and qt4, or would the > functionality > just be lost? ca-certificates provides the trusted certificate authorities, and it is now simply shipping the upstream Mozilla certificate authorities. CAcert was just one of the certificate authorities, and *not* one of the ones trusted by Mozilla. Debian/Mozilla are the upstream here, and neither wants to include CAcert.
signature.asc
Description: OpenPGP digital signature
