1 |
"Robin H. Johnson" <robbat2@g.o> posted |
2 |
20070928001048.GD1606@××××××××××××××××××××××××.net, excerpted below, on |
3 |
Thu, 27 Sep 2007 17:10:48 -0700: |
4 |
|
5 |
> If there aren't too many AND we can get a dedicated IP for each of those |
6 |
> services, I'd like to suggest the following, as an easily doable and |
7 |
> low-overhead (in terms of Trustees/paperwork) solution: |
8 |
> |
9 |
> 1. On the services identified, get extra IPs, and use the free GoDaddy |
10 |
> certs. |
11 |
> 2. On other services use the Gentoo-CA approach. |
12 |
|
13 |
There's probably a reason this won't work, since I've yet to see it |
14 |
brought up here and it's not mentioned on the bug either, but hey, I |
15 |
don't know said reason, and it's worth the shot... |
16 |
|
17 |
Would it be possible to setup a gentoo-certs package, versioned like any |
18 |
other, with USE flags if necessary for installing where various browsers, |
19 |
etc can see them? |
20 |
|
21 |
The idea being, any time a certificate changes you create a new version |
22 |
of gentoo-certs. "Security-clueless" users can simply be told about this |
23 |
package, and should reasonably quickly get the idea of checking for an |
24 |
upgrade any time they get a security warning. Certs in this package |
25 |
would then be accepted by default, while allowing users the option of |
26 |
installing the package or not, plus the possible USE flags, as well as |
27 |
configuring their browser manually to reject the certs, if desired. |
28 |
|
29 |
That would be easier in some ways and harder in others, than setting up a |
30 |
full Gentoo-CA. However, Gentoo devs deal with packages every day, while |
31 |
I doubt many deal with CA signing every day (umm... from the bug it looks |
32 |
like a couple devs do... enough anyway if not every day), so it might be |
33 |
more routine and thus easier for Gentoo to go the package route, even if |
34 |
it's harder in the absolute. |
35 |
|
36 |
I'd think "you need to merge or update this package" would suffice for |
37 |
the "security-clueless", while the "security-clueful" already know the |
38 |
deal, so no big deal for them, tho it'd lessen the hassle factor for them |
39 |
as well. |
40 |
|
41 |
-- |
42 |
Duncan - List replies preferred. No HTML msgs. |
43 |
"Every nonfree program has a lord, a master -- |
44 |
and if you use the program, he is your master." Richard Stallman |
45 |
|
46 |
-- |
47 |
gentoo-dev@g.o mailing list |