ca-certificates verification
4 views
Skip to first unread message
qubist
Dec 28, 2025, 2:27:30 PM (12 days ago) 12/28/25
to qubes...@googlegroups.com
Hi,
A note in the output of 'apt show ca-certificates' caught my attention:
-----
Description: Common CA certificates
Contains the certificate authorities shipped with Mozilla's browser to allow
SSL-based applications to check for the authenticity of SSL connections.
.
Please note that Debian can neither confirm nor deny whether the
certificate authorities whose certificates are included in this package
have in any way been audited for trustworthiness or RFC 3647 compliance.
Full responsibility to assess them belongs to the local system
administrator.
-----
There is no such note in Fedora ('rpm -qi ca-certificates').
Considering:
- the potential impact of this
- the fact that perhaps nobody reads this note
- most users don't even think about it
- the security focus of Qubes
- the philosophy of infrastructure distrust and securing of endpoints
would the Qubes project go an extra mile and possibly check the
certificates shipped with the OS (templates and dom0)?
Or at least show a warning to the user and a guide how to do it oneself?
I understand this is extra work and the package is update-able but
considering other packages are checked, perhaps this essential one
might be worth it.
What do you think?
A note in the output of 'apt show ca-certificates' caught my attention:
-----
Description: Common CA certificates
Contains the certificate authorities shipped with Mozilla's browser to allow
SSL-based applications to check for the authenticity of SSL connections.
.
Please note that Debian can neither confirm nor deny whether the
certificate authorities whose certificates are included in this package
have in any way been audited for trustworthiness or RFC 3647 compliance.
Full responsibility to assess them belongs to the local system
administrator.
-----
There is no such note in Fedora ('rpm -qi ca-certificates').
Considering:
- the potential impact of this
- the fact that perhaps nobody reads this note
- most users don't even think about it
- the security focus of Qubes
- the philosophy of infrastructure distrust and securing of endpoints
would the Qubes project go an extra mile and possibly check the
certificates shipped with the OS (templates and dom0)?
Or at least show a warning to the user and a guide how to do it oneself?
I understand this is extra work and the package is update-able but
considering other packages are checked, perhaps this essential one
might be worth it.
What do you think?
Reply all
Reply to author
Forward
0 new messages