Will removal of TrustCor trusted certs be something in the post, or is it down to the user to decide on this one?
I think the maintainer of
ca-certificates (Arch Linux - ca-certificates 20220905-1 (any)) will decide on this.
Or rather the people at Fedora from which Arch build their package: ca-certificates - Fedora Packages)
Well, that’s a rabbit-hole, it’s actually the people from Mozilla that decide who to trust: https://wiki.mozilla.org/CA
It is indeed the maintainer and he will usually rely on the upstream for the certificate trust-sources. But with the Arch ca-packages you can also act yourself pretty easily. For example:
# cp /etc/ca-certificates/extracted/cadir/TrustCor* /etc/ca-certificates/trust-source/blocklist/. # update-ca-trust
et voila, your browsers should now not accept said certificates anymore. Try by opening the companies homepage, for example.
edit: To clarify I changed above command from “move” to “copy”. The result is the same, because the blocklist is treated with higher priority. Certificates in the blocklist directory will remain untrusted, even if a package upgrade installs them again to the extracted dir.