Re: [gentoo-dev] heads up: adding ca-certificates as a PDEPEND to openssl

[Yuri Vasilevski <yuri@ciencias.unam.mx>]

Hi,

On Fri, 30 Dec 2005 17:34:59 -0500
Mike Frysinger <vapier@gentoo.org> wrote:

> just a heads up ... i'm going to be adding the ca-certificates package as a 
> PDEPEND to the openssl package so most everyone in Gentoo will end up with it 
> on their system
> 
> for those wondering what this is:
> http://packages.debian.org/unstable/misc/ca-certificates
> basically it's additional certificates that arent part of the default openssl 
> distribution

I'm not so sure that this is a good idea, as adding CA root
certificates is a way to make (good) money for some free projects and
unfortunately for some non free ones too. I'm not sure if openssl
charges certificate inclusion, but if it does this will interfere with
the founding policies (and then development) of openssl.

Now, being a little bit less ideological, I think it is perfectly ok to
add certificates from some organizations like CACert.org that try to
make security free for all Internet users as well as open source
projects' certificates (like debian ones). But it should be up to
businesses to buy they're way into openssl by the means of this
"sponsoring".

So my suggestions is to add root certificates only for non for profit
organizations. (For intermediate certificates that already have root
certificate bundled with openssl it ok in all cases). Or at last don't
make it a RDEPEND but an einfo "you may want to intall X for Y reason".


> this will inadvertently fix this fun bug:
> http://bugs.gentoo.org/101457
> and probably more in the future

In this king of cases it is probably better to ask upstream to bug
they're CA to "sponsor" openssl or use some free CA.

Yuri.
-- 
gentoo-dev@gentoo.org mailing list