Re: [gentoo-dev] heads up: adding ca-certificates as a PDEPEND to openssl

[Doug Goldstein <cardoe@gentoo.org>]

Curtis Napier wrote:
> Yuri Vasilevski wrote:
> 
>> Now, being a little bit less ideological, I think it is perfectly ok to
>> add certificates from some organizations like CACert.org that try to
>> make security free for all Internet users as well as open source
>> projects' certificates (like debian ones). But it should be up to
>> businesses to buy they're way into openssl by the means of this
>> "sponsoring".
>>
>> So my suggestions is to add root certificates only for non for profit
>> organizations. (For intermediate certificates that already have root
>> certificate bundled with openssl it ok in all cases). Or at last don't
>> make it a RDEPEND but an einfo "you may want to intall X for Y reason".
>>
>>
>>
>>> this will inadvertently fix this fun bug:
>>> http://bugs.gentoo.org/101457
>>> and probably more in the future
>>
>>
>>
>> In this king of cases it is probably better to ask upstream to bug
>> they're CA to "sponsor" openssl or use some free CA.
>>
>> Yuri.
> 
> 
> I was unaware that openssl worked that way, ie "sponsor in exchange for
> inclusion". This seems like a fair and honest way for them to raise
> funds but gives companies the ability to use openssl even if they don't
> sponsor. But *must* we honor that? Has anyone asked them?
> 
> I agree with this point 1000000%: Any organization that is free to the
> public should be included. But should we exclude the ones that are
> for-profit? I don't know but I have some pros and cons about including it.
> 
> It would be good PR for Gentoo to honor that funding scheme. Helping a
> fellow FOSS project in this way is just being "neighbourly" and will
> keep us out of slashdot. Plus it makes me feel warm and fuzzy inside.
> Don't include it at all or make it optional with a USE flag.
> 
> Good PR aside including all the certificates is better for the user
> because they don't have to manually search for the certificate and
> install it. Not to mention the wget bug with realplayer. I don't know
> about anyone else but when something Just Works(tm) I am happy. Install
> it by default or make it optional with a USE flag.
> 
> Would it be best to make it into a USE flag so users have the choice,
> install it by default or simply not offer it at all?
> 
> Both sides should be happy with a USE flag IMHO. So long as it closes
> the wget bug I'm all for it.

Where do government organization Certs fit in? I generally have to
manually install the Dept of Defense Cert in most of my installs. They
don't care but they also don't toss them out for free to projects.

Just playing Devil's Advocate.


-- 
Doug Goldstein <cardoe@gentoo.org>
http://dev.gentoo.org/~cardoe/
-- 
gentoo-dev@gentoo.org mailing list