[Solved] Pacman allows to remove ca-certificates{,-mozilla}

amish · 2025-06-30 14:03:59

So I followed this Wiki page:
pacman/Tips and tricks#Detecting more unneeded packages

[root@home /]# pacman -Qqd | pacman -Rsu --print -
ca-certificates-20240618-1
ca-certificates-mozilla-3.113-

It shows me above two packages as unneeded packages.

While they are possibly one of the most important packages.

I checked if they are really removable? (i.e. if pacman blocks removal?)

[root@home /]#  pacman -Rns ca-certificates ca-certificates-mozilla
checking dependencies...
:: openssl optionally requires ca-certificates
:: wget optionally requires ca-certificates: HTTPS downloads

Package (2)              Old Version  Net Change

ca-certificates          20240618-1     0.00 MiB
ca-certificates-mozilla  3.113-1       -1.04 MiB

Total Removed Size:  1.04 MiB

:: Do you want to remove these packages? [Y/n] n

Unfortunately pacman does not block removal and allows to remove them.

Further checking, ca-certificates is just an empty package which depends on ca-certificates-mozilla.

There is another package ca-certificates-utils which provides ca-certificates.

ca-certificates-mozilla in turn depends on ca-certificates-utils.

So there is indirect dependency cycle.

Is this a bug? Or it is how it is to be?

May be ca-certificates-mozilla may not be required technically but I think its absence may break many sites or browsers. (Firefox?)

Strange thing is that if I install "virtualbox" package then first command no more lists them as unneeded but pacman still allows to remove them. Even pacman -Qttdq or pacman -Qtdq does not list them as unneeded.

[root@home /]# pacman -Syu virtualbox
...
[root@home /]# pacman -Qqd | pacman -Rsu --print -
 there is nothing to do
[root@home /]#  pacman -Qttdq
[root@home /]#  pacman -Qtdq
[root@home /]#  pacman -Rns ca-certificates ca-certificates-mozilla
checking dependencies...
:: openssl optionally requires ca-certificates
:: wget optionally requires ca-certificates: HTTPS downloads

Package (2)              Old Version  Net Change

ca-certificates          20240618-1     0.00 MiB
ca-certificates-mozilla  3.113-1       -1.04 MiB

Total Removed Size:  1.04 MiB

:: Do you want to remove these packages? [Y/n] n

I dont know why installing virtualbox does above but I guess I need to make ca-certificates-mozilla as explicitly installed package so as not to remove it accidentally.

Or may be ca-certificates-utils should not provide ca-certificates?

Last edited by amish (2025-07-01 07:34:12)

seth · 2025-06-30 17:48:47

ca-certificates, ca-certificates-mozilla and ca-certificat-utils are circular dependencies, but: curl depends hard on ca-certificates and EVERYTHING™ depends on curl, https://archlinux.org/packages/core/x86_64/curl/

pacman -Qs curl

amish · 2025-07-01 03:17:50

Yes. I know that. But what I meant is that removal of ca-certificates-mozilla, is it safe? Or it is going to break some sites?

Is root certificates provided by ca-certificate-utils enough? Or there are additional root certificates provided by ca-certificates-mozilla that are also important?

No packages directly require ca-certificates-mozilla. (except ca-certificates)

ca-certificates is provided by two packages (ca-certificates itself and ca-certificates-utils)

So the package ca-certificates can be removed (as it is also provided by ca-certificate-utils)

And removing ca-certificates (via pacman -Rns) also removes ca-certificates-mozilla.

So is it safe to remove ca-certificates-mozilla? Or it is going to break some site?

seth · 2025-07-01 06:08:38

Removing ca-certificates-mozilla is gonna break your internet (https) for the most part.
Don't.

amish · 2025-07-01 06:30:56

Yes exactly. That is why I believe that pacman allowing removal of ca-certificates-mozilla is most likely a bug.

This can be resolved by ca-certificates-utils NOT providing ca-certificates.

Or making curl, openssl etc. depend on ca-certificates-mozilla and not just ca-certificates (indirectly ca-certificates-utils)

Last edited by amish (2025-07-01 06:45:20)

seth · 2025-07-01 06:46:17

https://gitlab.archlinux.org/archlinux/ … ote_198815

amish · 2025-07-01 07:32:38

Great. Thank you for finding the relevant issue.

That clears things. So now I know that I need to explicitly install ca-certificate-mozilla to avoid accidental deletion.

Arch Linux

#1 2025-06-30 14:03:59

[Solved] Pacman allows to remove ca-certificates{,-mozilla}

#2 2025-06-30 17:48:47

Re: [Solved] Pacman allows to remove ca-certificates{,-mozilla}

#3 2025-07-01 03:17:50

Re: [Solved] Pacman allows to remove ca-certificates{,-mozilla}

#4 2025-07-01 06:08:38

Re: [Solved] Pacman allows to remove ca-certificates{,-mozilla}

#5 2025-07-01 06:30:56

Re: [Solved] Pacman allows to remove ca-certificates{,-mozilla}

#6 2025-07-01 06:46:17

Re: [Solved] Pacman allows to remove ca-certificates{,-mozilla}

#7 2025-07-01 07:32:38

Re: [Solved] Pacman allows to remove ca-certificates{,-mozilla}

Board footer