I find CAcert pretty useful, and it is handy to have their certificate installed by default. From other contributions to this bug, it seems their auditing, policies, or disclaimer have some issues.
>From a practical POV, the incidents reported by THC[0] mention different CAs, so I'd rather remove them than CAcert. CAcert's disclaimer spells the same no-liability stuff that all Debian software bears. The only real reason that we would remove that certificate is because Mozilla doesn't do it. (BTW, CAcert is not any more on the pending list mentioned in message #40.) If anything, it should made clear[er] that there is no endorsement or assumption of responsibility in distributing ca-certificates: Just like any other package, it is done on a best-effort basis. CAcert is a well known CA. Debian has historically distributed its certificate, and should not stop unless there is a serious reason to do so. Please just set WONTFIX. [0] https://wiki.thc.org/ssl#head-96dca2abae666e78fe5a0955a6548517812bdc4e Thanks Ale -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org