1 |
Curtis Napier wrote: |
2 |
> Yuri Vasilevski wrote: |
3 |
> |
4 |
>> Now, being a little bit less ideological, I think it is perfectly ok to |
5 |
>> add certificates from some organizations like CACert.org that try to |
6 |
>> make security free for all Internet users as well as open source |
7 |
>> projects' certificates (like debian ones). But it should be up to |
8 |
>> businesses to buy they're way into openssl by the means of this |
9 |
>> "sponsoring". |
10 |
>> |
11 |
>> So my suggestions is to add root certificates only for non for profit |
12 |
>> organizations. (For intermediate certificates that already have root |
13 |
>> certificate bundled with openssl it ok in all cases). Or at last don't |
14 |
>> make it a RDEPEND but an einfo "you may want to intall X for Y reason". |
15 |
>> |
16 |
>> |
17 |
>> |
18 |
>>> this will inadvertently fix this fun bug: |
19 |
>>> http://bugs.gentoo.org/101457 |
20 |
>>> and probably more in the future |
21 |
>> |
22 |
>> |
23 |
>> |
24 |
>> In this king of cases it is probably better to ask upstream to bug |
25 |
>> they're CA to "sponsor" openssl or use some free CA. |
26 |
>> |
27 |
>> Yuri. |
28 |
> |
29 |
> |
30 |
> I was unaware that openssl worked that way, ie "sponsor in exchange for |
31 |
> inclusion". This seems like a fair and honest way for them to raise |
32 |
> funds but gives companies the ability to use openssl even if they don't |
33 |
> sponsor. But *must* we honor that? Has anyone asked them? |
34 |
> |
35 |
> I agree with this point 1000000%: Any organization that is free to the |
36 |
> public should be included. But should we exclude the ones that are |
37 |
> for-profit? I don't know but I have some pros and cons about including it. |
38 |
> |
39 |
> It would be good PR for Gentoo to honor that funding scheme. Helping a |
40 |
> fellow FOSS project in this way is just being "neighbourly" and will |
41 |
> keep us out of slashdot. Plus it makes me feel warm and fuzzy inside. |
42 |
> Don't include it at all or make it optional with a USE flag. |
43 |
> |
44 |
> Good PR aside including all the certificates is better for the user |
45 |
> because they don't have to manually search for the certificate and |
46 |
> install it. Not to mention the wget bug with realplayer. I don't know |
47 |
> about anyone else but when something Just Works(tm) I am happy. Install |
48 |
> it by default or make it optional with a USE flag. |
49 |
> |
50 |
> Would it be best to make it into a USE flag so users have the choice, |
51 |
> install it by default or simply not offer it at all? |
52 |
> |
53 |
> Both sides should be happy with a USE flag IMHO. So long as it closes |
54 |
> the wget bug I'm all for it. |
55 |
|
56 |
Where do government organization Certs fit in? I generally have to |
57 |
manually install the Dept of Defense Cert in most of my installs. They |
58 |
don't care but they also don't toss them out for free to projects. |
59 |
|
60 |
Just playing Devil's Advocate. |
61 |
|
62 |
|
63 |
-- |
64 |
Doug Goldstein <cardoe@g.o> |
65 |
http://dev.gentoo.org/~cardoe/ |
66 |
-- |
67 |
gentoo-dev@g.o mailing list |