Bug#731463: Bug#718434: Bug#731463: ca-certificates: should CAcert.org be included?
Michael Shuler
michael at pbandjelly.org
Sat Dec 7 03:15:29 UTC 2013
On 12/06/2013 08:18 PM, Daniel Kahn Gillmor wrote:
> On 12/06/2013 08:11 PM, Michael Shuler wrote:
>> On 12/06/2013 06:21 PM, Daniel Kahn Gillmor wrote:
>>> can we ship CAs marked as "disabled" by default?
>>
>> I think this would prove to be a rather severe disservice to Debian
>> users, making all SSL connections fail for all software that is or
>> depends on one of the reverse dependencies of ca-certificates.
>
> I didn't mean to imply that we would ship all CAs as disabled by default
> -- i agree that would probably be unhelpful. i just meant that the
> decision about "not including CAcert.org" doesn't need to be a binary
> decision -- instead of dropping it, we could ship the certificate, but
> have it disabled by default, while leaving the others alone.
Thanks for the clarification, I misunderstood. This would be possible,
but it makes for an interesting question of toggling other CAs, which I
don't care to take on, since it seems to be a rather polar and emotional
conversation. It it already simple to drop in a local certificate, as
well as create a local cert deb package. In my opinion, the question
really is binary - we either ship it and trust it, or we don't.
--
Kind regards,
Michael
More information about the pkg-mozilla-maintainers
mailing list