On 12/06/2013 08:18 PM, Daniel Kahn Gillmor wrote:
On 12/06/2013 08:11 PM, Michael Shuler wrote:
On 12/06/2013 06:21 PM, Daniel Kahn Gillmor wrote:
can we ship CAs marked as "disabled" by default?
I think this would prove to be a rather severe disservice to Debian
users, making all SSL connections fail for all software that is or
depends on one of the reverse dependencies of ca-certificates.
I didn't mean to imply that we would ship all CAs as disabled by default
-- i agree that would probably be unhelpful. i just meant that the
decision about "not including CAcert.org" doesn't need to be a binary
decision -- instead of dropping it, we could ship the certificate, but
have it disabled by default, while leaving the others alone.
Thanks for the clarification, I misunderstood. This would be possible,
but it makes for an interesting question of toggling other CAs, which I
don't care to take on, since it seems to be a rather polar and emotional
conversation. It it already simple to drop in a local certificate, as
well as create a local cert deb package. In my opinion, the question
really is binary - we either ship it and trust it, or we don't.
--
Kind regards,
Michael
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
