Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: Kalin KOZHUHAROV <kalin@××××××××.net>
To: gentoo-dev@l.g.o
Cc: security@g.o
Subject: Re: [gentoo-dev] Re: ca-certificates PDEPEND
Date: Mon, 09 Jan 2006 16:29:42
Message-Id: 43C28DC7.8070500@thinrope.net
In Reply to: [gentoo-dev] Re: ca-certificates PDEPEND by Andrea Barisani
1 Andrea Barisani wrote:
2 > On Mon, Jan 09, 2006 at 11:08:38AM -0500, solar wrote:
3 >
4 >>On Mon, 2006-01-09 at 16:55 +0100, Andrea Barisani wrote:
5 >>
6 >>>Regarding the inclusion of ca-certificates as a PDEPEND (yeah a brief
7 >>>exchange of emails already happened on -dev but since it's not so easy to
8 >>>track it I'm lagging behind on this) I would like to express that I really
9 >>>don't like the fact that we are "trusting" cacert.org certs (among others)
10 >>>without providing it as a choice.
11 >>>
12 >>>Despite all the political views that we can throw in favour of a "cacert.org
13 >>>are trying to make the SSL certs world less evil" argument this is some major
14 >>>policy that we are supporting and it shouldn't be taken that lightly (I don't
15 >>>remember such a major confrontation about this) and I really don't think this
16 >>>should be a default policy but rather user's choice. Technically cacert.org
17 >>>is not a recognized CA in the "proper" way (and don't point that a proper CA
18 >>>is a lame concept and a snake oil thing..this is not the point).
19 >>
20 >>>[CCing security@g.o because this concerns the team as well imho.]
21 >>>
22 >>>Just my 2 eurocent.
23 >>>
24 >>>P.S.
25 >>>I know that firefox doesn't trust /etc/ssl/certs by default, dunno about
26 >>>konqueror. The point is still relevant though.
27 >>
28 >>
29 >>Do you think the PDEPEND of the ca-certs should be tied to a USE= flag?
30 >>If so should it be a 'no*certs' flag or a USE=cacerts ?
31 >
32 >
33 > USE=cacerts sounds the proper course of action to me.
34
35 I was just `emerge world -vDatu --newuse` on some ~x86 boxen and I saw the new (at least to me)
36 cacert ebuild getting pulled. Although, I support cacert.org and use it occasionally, I also think
37 making it the default is a bit too quick for now. Making it a useflag might be better.
38
39 Are there any other packages like cacert now? Didn't see any, but time will tell.
40 Might be a better solution to have a more general ebuild that installs CA certs and it will have
41 different (local) useflags.
42
43 Just my 2 non-dev Japanese yen :-)
44
45 Kalin.
46 --
47 |[ ~~~~~~~~~~~~~~~~~~~~~~ ]|
48 +-> http://ThinRope.net/ <-+
49 |[ ______________________ ]|
50 --
51 gentoo-dev@g.o mailing list
Report Message
Find on MARC Find on Google Groups