From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.54) id 1EsX0U-0006vU-7w for garchives@archives.gentoo.org; Sat, 31 Dec 2005 03:02:10 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id jBV31K5o009761; Sat, 31 Dec 2005 03:01:20 GMT Received: from duke.math.cinvestav.mx (duke.math.cinvestav.mx [148.247.14.23]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id jBV2x20a011892 for ; Sat, 31 Dec 2005 02:59:03 GMT Received: from edune.lan (unknown [201.152.92.165]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by duke.math.cinvestav.mx (Postfix) with ESMTP id 98AC110047 for ; Fri, 30 Dec 2005 20:59:00 -0600 (CST) Date: Fri, 30 Dec 2005 20:59:40 -0600 From: Yuri Vasilevski To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] heads up: adding ca-certificates as a PDEPEND to openssl Message-ID: <20051230205940.4903e1b7@edune.lan> In-Reply-To: <200512301734.59151.vapier@gentoo.org> References: <200512301734.59151.vapier@gentoo.org> X-Mailer: Sylpheed-Claws 2.0.0-rc1 (GTK+ 2.8.9; i686-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Archives-Salt: e2cacb48-a023-42cb-b7c5-c24438320dec X-Archives-Hash: 250336a7d8d40fb7fd84f71c73a8ce86 Hi, On Fri, 30 Dec 2005 17:34:59 -0500 Mike Frysinger wrote: > just a heads up ... i'm going to be adding the ca-certificates package as a > PDEPEND to the openssl package so most everyone in Gentoo will end up with it > on their system > > for those wondering what this is: > http://packages.debian.org/unstable/misc/ca-certificates > basically it's additional certificates that arent part of the default openssl > distribution I'm not so sure that this is a good idea, as adding CA root certificates is a way to make (good) money for some free projects and unfortunately for some non free ones too. I'm not sure if openssl charges certificate inclusion, but if it does this will interfere with the founding policies (and then development) of openssl. Now, being a little bit less ideological, I think it is perfectly ok to add certificates from some organizations like CACert.org that try to make security free for all Internet users as well as open source projects' certificates (like debian ones). But it should be up to businesses to buy they're way into openssl by the means of this "sponsoring". So my suggestions is to add root certificates only for non for profit organizations. (For intermediate certificates that already have root certificate bundled with openssl it ok in all cases). Or at last don't make it a RDEPEND but an einfo "you may want to intall X for Y reason". > this will inadvertently fix this fun bug: > http://bugs.gentoo.org/101457 > and probably more in the future In this king of cases it is probably better to ask upstream to bug they're CA to "sponsor" openssl or use some free CA. Yuri. -- gentoo-dev@gentoo.org mailing list