cacerts bundled with OpenJDK

Donald Smith donald.smith at
Fri Jun 1 12:47:21 UTC 2012

I don't know if it's a case that I know too much about the world of CAs, 
and am scared about what this would mean; or if it's a case I don't know 
enough, so I'm scared about what this would mean. :)

I'm not convinced it would help avoid duplication.  In many cases CAs 
won't be wanted or needed, and I believe in most cases where CAs are 
wanted by packagers (your case notwithstanding) they'll be wanting it 
from the OS perspective, or using their own corporate certs.

You use Mozilla as an example (which I see more as a consumer/end user 
product than most OSS).  To which I would counter example with OpenSSL -

I would be interested in hearing other opinions.

  - Don

On 01/06/2012 3:20 AM, Henri Gomez wrote:
>> Disclaimer that I haven't read the thread to which you're referring.
>> I think a key difference between Mozilla and OpenJDK is that Mozilla
>> distributes packaged products to end users whereas OpenJDK is a
>> collaboration of platform providers at the source code level.  Whereas
>> cacerts are fundamentally a packaged product thing, and not entirely
>> necessary, and fundamentally tied to whoever is distributing the binary, I
>> don't think it would or should apply.  Whereas Mozilla is shipping product
>> almost exclusively to end users in the form of Firefox, Thunderbird, etc,
>> then I can understand why they would maintain certs with the products.
> Yep.
> Providing a default cacerts in OpenJDK with a set of well-known ROOT
> CAs would help packagers avoiding duplicate works on all
> distributions.
> I guess there is some packagers here, at least Andrew Hughes, what do
> you think about this ?

More information about the discuss mailing list