Though 9 months late, I'd like to express the same concern in this bug report. While there's a nice disclaimer in the package description (from Debian), users are ignorant of the security ramifications of inclusion.
I too suggest there should be a secure, objective inclusion critera. Continuing to include untrustable certificate authorities puts the security of communications at significant risk. At the very least, can we have a stronger disclaimer, which properly informs the users of the risks of installing this package on their system? Something like: "As the trustworthiness of the included CAs has not been established, the installation of this package on your system could result in a compromise in SSL/TLS secure communications. Install this package at your own risk." -- Missing policy for CA certificates https://bugs.launchpad.net/bugs/103074 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
