How are the CA certificates obtained?

[brycefisher]

I'd love to understand:

1. Where these certificates came from?
2. How they can be verified against a remote checksum? (Or other cryptographic verification system)
3. How frequently this list will be updated?
4. If revocations are taken into consideration in this list?

Thanks! This project is much appreciated.

[broady]

@brycefisher good questions. I had the same questions, so I made broady/cacerts, since centurylink/ca-certs looks pretty dead, which is rather dangerous.

For mine,
1: from Debian's ca-certificates package
2: verified by GPG signing, but the image built by me isn't signed. Copy the source and build your own if you are concerned about my/dockerhub's integrity. I can sign (via keybase.io) something if you'd like.
3+4: no plans yet. How does Debian handle that?

[brycefisher]

Awesome! Thanks so much, @broady

cc @thomshutt @geneticgenesis @stuarthicks

[stuarthicks]

@broady @brycefisher Thanks! I like that approach, makes it really clear to see where the certs came from (and is reproducible). 👍