I see. Thanks for pointer.
]]>What certificates should Arch trust? The default answer has been what Mozilla trusts.
Right, I somehow (wrongly) assumed we're fine with what upstream maintains as the whole package.
Digging deeper, this shift in attitude is quiet recent though:
2014-03-24 only ship mozilla certs; cleanup old install message
As of pkgver = 20140325 (https://projects.archlinux.org/svntogit … beaae68df7), upstream Makefile refers by default to 2 subdirs: mozilla, and spi-inc.org.
Does anybody know why we're specific about including only mozilla certificates?
]]>