| 1 |
Curtis Napier wrote: |
| 2 |
> Yuri Vasilevski wrote: |
| 3 |
> |
| 4 |
>> Now, being a little bit less ideological, I think it is perfectly ok to |
| 5 |
>> add certificates from some organizations like CACert.org that try to |
| 6 |
>> make security free for all Internet users as well as open source |
| 7 |
>> projects' certificates (like debian ones). But it should be up to |
| 8 |
>> businesses to buy they're way into openssl by the means of this |
| 9 |
>> "sponsoring". |
| 10 |
>> |
| 11 |
>> So my suggestions is to add root certificates only for non for profit |
| 12 |
>> organizations. (For intermediate certificates that already have root |
| 13 |
>> certificate bundled with openssl it ok in all cases). Or at last don't |
| 14 |
>> make it a RDEPEND but an einfo "you may want to intall X for Y reason". |
| 15 |
>> |
| 16 |
>> |
| 17 |
>> |
| 18 |
>>> this will inadvertently fix this fun bug: |
| 19 |
>>> http://bugs.gentoo.org/101457 |
| 20 |
>>> and probably more in the future |
| 21 |
>> |
| 22 |
>> |
| 23 |
>> |
| 24 |
>> In this king of cases it is probably better to ask upstream to bug |
| 25 |
>> they're CA to "sponsor" openssl or use some free CA. |
| 26 |
>> |
| 27 |
>> Yuri. |
| 28 |
> |
| 29 |
> |
| 30 |
> I was unaware that openssl worked that way, ie "sponsor in exchange for |
| 31 |
> inclusion". This seems like a fair and honest way for them to raise |
| 32 |
> funds but gives companies the ability to use openssl even if they don't |
| 33 |
> sponsor. But *must* we honor that? Has anyone asked them? |
| 34 |
> |
| 35 |
> I agree with this point 1000000%: Any organization that is free to the |
| 36 |
> public should be included. But should we exclude the ones that are |
| 37 |
> for-profit? I don't know but I have some pros and cons about including it. |
| 38 |
> |
| 39 |
> It would be good PR for Gentoo to honor that funding scheme. Helping a |
| 40 |
> fellow FOSS project in this way is just being "neighbourly" and will |
| 41 |
> keep us out of slashdot. Plus it makes me feel warm and fuzzy inside. |
| 42 |
> Don't include it at all or make it optional with a USE flag. |
| 43 |
> |
| 44 |
> Good PR aside including all the certificates is better for the user |
| 45 |
> because they don't have to manually search for the certificate and |
| 46 |
> install it. Not to mention the wget bug with realplayer. I don't know |
| 47 |
> about anyone else but when something Just Works(tm) I am happy. Install |
| 48 |
> it by default or make it optional with a USE flag. |
| 49 |
> |
| 50 |
> Would it be best to make it into a USE flag so users have the choice, |
| 51 |
> install it by default or simply not offer it at all? |
| 52 |
> |
| 53 |
> Both sides should be happy with a USE flag IMHO. So long as it closes |
| 54 |
> the wget bug I'm all for it. |
| 55 |
|
| 56 |
Where do government organization Certs fit in? I generally have to |
| 57 |
manually install the Dept of Defense Cert in most of my installs. They |
| 58 |
don't care but they also don't toss them out for free to projects. |
| 59 |
|
| 60 |
Just playing Devil's Advocate. |
| 61 |
|
| 62 |
|
| 63 |
-- |
| 64 |
Doug Goldstein <cardoe@g.o> |
| 65 |
http://dev.gentoo.org/~cardoe/ |
| 66 |
-- |
| 67 |
gentoo-dev@g.o mailing list |
Archives