Hello, I was recently reviewing a PR that upgraded an Elixir project's dependencies and noticed that "GLOBALTRUST 2020" was trusted again <https://github.com/elixir-mint/castore/pull/73/files> in November after being removed <https://github.com/elixir-mint/castore/pull/69/files> in July. (The priv/cacerts.pem file in those PRs is generated by running <https://github.com/elixir-mint/castore/blob/124c470e2924cd31b69da85040ffafdff4bff22b/lib/mix/tasks/certdata.ex#L84-L89> https://raw.githubusercontent.com/curl/curl/master/scripts/mk-ca-bundle.pl).
A curl to https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt shows "GLOBALTRUST 2020." I admittedly don't know nearly enough about certs to tell whether there's something there saying the cert shouldn't be trusted, but I was spooked by the cert's return. Can someone help me understand what's going on? -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/dd0c4b18-125e-488f-b6a7-fb9e7cca7a77n%40mozilla.org.
