public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-dev] heads up: adding ca-certificates as a PDEPEND to openssl
@ 2005-12-30 22:34 Mike Frysinger
  2005-12-31  2:59 ` Yuri Vasilevski
  0 siblings, 1 reply; 5+ messages in thread
From: Mike Frysinger @ 2005-12-30 22:34 UTC (permalink / raw
  To: gentoo-dev

just a heads up ... i'm going to be adding the ca-certificates package as a 
PDEPEND to the openssl package so most everyone in Gentoo will end up with it 
on their system

for those wondering what this is:
http://packages.debian.org/unstable/misc/ca-certificates
basically it's additional certificates that arent part of the default openssl 
distribution

for those who may bitch about "bloating":
$ qsize app-misc/ca-certificates
app-misc/ca-certificates-20050804: 107 files, 17 non-files, 159.920 KB

this will inadvertently fix this fun bug:
http://bugs.gentoo.org/101457
and probably more in the future
-mike
-- 
gentoo-dev@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [gentoo-dev] heads up: adding ca-certificates as a PDEPEND to openssl
  2005-12-30 22:34 [gentoo-dev] heads up: adding ca-certificates as a PDEPEND to openssl Mike Frysinger
@ 2005-12-31  2:59 ` Yuri Vasilevski
  2005-12-31  4:17   ` Curtis Napier
  0 siblings, 1 reply; 5+ messages in thread
From: Yuri Vasilevski @ 2005-12-31  2:59 UTC (permalink / raw
  To: gentoo-dev

Hi,

On Fri, 30 Dec 2005 17:34:59 -0500
Mike Frysinger <vapier@gentoo.org> wrote:

> just a heads up ... i'm going to be adding the ca-certificates package as a 
> PDEPEND to the openssl package so most everyone in Gentoo will end up with it 
> on their system
> 
> for those wondering what this is:
> http://packages.debian.org/unstable/misc/ca-certificates
> basically it's additional certificates that arent part of the default openssl 
> distribution

I'm not so sure that this is a good idea, as adding CA root
certificates is a way to make (good) money for some free projects and
unfortunately for some non free ones too. I'm not sure if openssl
charges certificate inclusion, but if it does this will interfere with
the founding policies (and then development) of openssl.

Now, being a little bit less ideological, I think it is perfectly ok to
add certificates from some organizations like CACert.org that try to
make security free for all Internet users as well as open source
projects' certificates (like debian ones). But it should be up to
businesses to buy they're way into openssl by the means of this
"sponsoring".

So my suggestions is to add root certificates only for non for profit
organizations. (For intermediate certificates that already have root
certificate bundled with openssl it ok in all cases). Or at last don't
make it a RDEPEND but an einfo "you may want to intall X for Y reason".


> this will inadvertently fix this fun bug:
> http://bugs.gentoo.org/101457
> and probably more in the future

In this king of cases it is probably better to ask upstream to bug
they're CA to "sponsor" openssl or use some free CA.

Yuri.
-- 
gentoo-dev@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [gentoo-dev] heads up: adding ca-certificates as a PDEPEND to openssl
  2005-12-31  2:59 ` Yuri Vasilevski
@ 2005-12-31  4:17   ` Curtis Napier
  2005-12-31  4:38     ` Mike Frysinger
  2005-12-31  4:47     ` Doug Goldstein
  0 siblings, 2 replies; 5+ messages in thread
From: Curtis Napier @ 2005-12-31  4:17 UTC (permalink / raw
  To: gentoo-dev

Yuri Vasilevski wrote:
> Now, being a little bit less ideological, I think it is perfectly ok to
> add certificates from some organizations like CACert.org that try to
> make security free for all Internet users as well as open source
> projects' certificates (like debian ones). But it should be up to
> businesses to buy they're way into openssl by the means of this
> "sponsoring".
> 
> So my suggestions is to add root certificates only for non for profit
> organizations. (For intermediate certificates that already have root
> certificate bundled with openssl it ok in all cases). Or at last don't
> make it a RDEPEND but an einfo "you may want to intall X for Y reason".
> 
> 
> 
>>this will inadvertently fix this fun bug:
>>http://bugs.gentoo.org/101457
>>and probably more in the future
> 
> 
> In this king of cases it is probably better to ask upstream to bug
> they're CA to "sponsor" openssl or use some free CA.
> 
> Yuri.

I was unaware that openssl worked that way, ie "sponsor in exchange for 
inclusion". This seems like a fair and honest way for them to raise 
funds but gives companies the ability to use openssl even if they don't 
sponsor. But *must* we honor that? Has anyone asked them?

I agree with this point 1000000%: Any organization that is free to the 
public should be included. But should we exclude the ones that are 
for-profit? I don't know but I have some pros and cons about including it.

It would be good PR for Gentoo to honor that funding scheme. Helping a 
fellow FOSS project in this way is just being "neighbourly" and will 
keep us out of slashdot. Plus it makes me feel warm and fuzzy inside. 
Don't include it at all or make it optional with a USE flag.

Good PR aside including all the certificates is better for the user 
because they don't have to manually search for the certificate and 
install it. Not to mention the wget bug with realplayer. I don't know 
about anyone else but when something Just Works(tm) I am happy. Install 
it by default or make it optional with a USE flag.

Would it be best to make it into a USE flag so users have the choice, 
install it by default or simply not offer it at all?

Both sides should be happy with a USE flag IMHO. So long as it closes 
the wget bug I'm all for it.
-- 
gentoo-dev@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [gentoo-dev] heads up: adding ca-certificates as a PDEPEND to openssl
  2005-12-31  4:17   ` Curtis Napier
@ 2005-12-31  4:38     ` Mike Frysinger
  2005-12-31  4:47     ` Doug Goldstein
  1 sibling, 0 replies; 5+ messages in thread
From: Mike Frysinger @ 2005-12-31  4:38 UTC (permalink / raw
  To: gentoo-dev

On Friday 30 December 2005 23:17, Curtis Napier wrote:
> Would it be best to make it into a USE flag so users have the choice,
> install it by default or simply not offer it at all?
>
> Both sides should be happy with a USE flag IMHO. So long as it closes
> the wget bug I'm all for it.

a USE flag is pointless, it has the same effect as having the user emerge the 
ca-certs package itself
-mike
-- 
gentoo-dev@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [gentoo-dev] heads up: adding ca-certificates as a PDEPEND to openssl
  2005-12-31  4:17   ` Curtis Napier
  2005-12-31  4:38     ` Mike Frysinger
@ 2005-12-31  4:47     ` Doug Goldstein
  1 sibling, 0 replies; 5+ messages in thread
From: Doug Goldstein @ 2005-12-31  4:47 UTC (permalink / raw
  To: gentoo-dev

Curtis Napier wrote:
> Yuri Vasilevski wrote:
> 
>> Now, being a little bit less ideological, I think it is perfectly ok to
>> add certificates from some organizations like CACert.org that try to
>> make security free for all Internet users as well as open source
>> projects' certificates (like debian ones). But it should be up to
>> businesses to buy they're way into openssl by the means of this
>> "sponsoring".
>>
>> So my suggestions is to add root certificates only for non for profit
>> organizations. (For intermediate certificates that already have root
>> certificate bundled with openssl it ok in all cases). Or at last don't
>> make it a RDEPEND but an einfo "you may want to intall X for Y reason".
>>
>>
>>
>>> this will inadvertently fix this fun bug:
>>> http://bugs.gentoo.org/101457
>>> and probably more in the future
>>
>>
>>
>> In this king of cases it is probably better to ask upstream to bug
>> they're CA to "sponsor" openssl or use some free CA.
>>
>> Yuri.
> 
> 
> I was unaware that openssl worked that way, ie "sponsor in exchange for
> inclusion". This seems like a fair and honest way for them to raise
> funds but gives companies the ability to use openssl even if they don't
> sponsor. But *must* we honor that? Has anyone asked them?
> 
> I agree with this point 1000000%: Any organization that is free to the
> public should be included. But should we exclude the ones that are
> for-profit? I don't know but I have some pros and cons about including it.
> 
> It would be good PR for Gentoo to honor that funding scheme. Helping a
> fellow FOSS project in this way is just being "neighbourly" and will
> keep us out of slashdot. Plus it makes me feel warm and fuzzy inside.
> Don't include it at all or make it optional with a USE flag.
> 
> Good PR aside including all the certificates is better for the user
> because they don't have to manually search for the certificate and
> install it. Not to mention the wget bug with realplayer. I don't know
> about anyone else but when something Just Works(tm) I am happy. Install
> it by default or make it optional with a USE flag.
> 
> Would it be best to make it into a USE flag so users have the choice,
> install it by default or simply not offer it at all?
> 
> Both sides should be happy with a USE flag IMHO. So long as it closes
> the wget bug I'm all for it.

Where do government organization Certs fit in? I generally have to
manually install the Dept of Defense Cert in most of my installs. They
don't care but they also don't toss them out for free to projects.

Just playing Devil's Advocate.


-- 
Doug Goldstein <cardoe@gentoo.org>
http://dev.gentoo.org/~cardoe/
-- 
gentoo-dev@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2005-12-31  4:50 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-12-30 22:34 [gentoo-dev] heads up: adding ca-certificates as a PDEPEND to openssl Mike Frysinger
2005-12-31  2:59 ` Yuri Vasilevski
2005-12-31  4:17   ` Curtis Napier
2005-12-31  4:38     ` Mike Frysinger
2005-12-31  4:47     ` Doug Goldstein

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox