On Monday 31 December 2012 19:44:32 Rich Freeman wrote: > The certificates that Gentoo distributes have at least been vouched > for by somebody who is a part of our community, which is more than can > be said for most of the upstream certificates.
mmm, Gentoo ships ca-certificates which comes directly from Debian. when people request modification (add/remove/whatever), we bounce them to Debian. we specifically don't want to deal with this mess and instead "unload" it onto Debian :). we don't modify openssl in any way wrt cert management. it uses the certs the user themselves have installed, or other packages have installed into /etc/ssl/ (which atm is just ca-certificates afaik). as for nss, i can't vouch for it directly since i haven't worked on it. a cursory glance looks like we add cacert.org and spi (software in the public interest) root certs. i don't know if it's possible, but it seems like nss should just look in the common /etc/ssl store. either way, i don't see a problem here. i don't know much about gnutls, but it doesn't seem like we do anything there other than package it up. -mike
signature.asc
Description: This is a digitally signed message part.
