I took yesterday away from b.d.o after re-reading several of the last bug reports that concern CAcert. I had planned to take a few more days, focus on $WORK, and write something at length, but I'll post a few thoughts..
I followed the thought that the CAcert root distibution license should be ignored and closed #687693. That action was primarily to preserve the status quo. I remain unconvinced that that decision was actually correct, from a legal perspective, as I stated in #718434, and legal ambiguity was one of my decision points in removal. There are other open source projects that have deemed CAcert as non-free, and my own research for that bug continue to lead me to believe that distribution of their roots fall under a non-free license. Every time I looked at the source of the ca-certificates package, the fact that I was consciously ignoring a non-free licence did not feel right. Ubuntu deemed the questionable nature of CAcert inclusion enough to patch CAcert out of ca-certificates and nss in their distribution, prior to this action in Debian. Ubuntu's removal prompted me to finally make a decision and not keep sitting on my questions of what to do. I see Ubuntu users as Debian users, so a very large group of Debian users already had CAcert removed from their systems. 1. Debian will remain 100% free 3. We will not hide problems 5. Works that do not meet our free software standards (non-free) By CAcert's own documentation, they cannot pass their own audits. IanG's background with CAcert, and his post to #718434, encapsulate the quandaries with including CAcert in Debian better than I can state myself. I do not have the time to audit CAs, nor do I think that would be a valuable way to spend my time. I must rely on someone or an organization that has defined practices to accomplish a level of trust for the contents of the ca-certificates package. That organization could be Microsoft and we could included their CA bundle, but that isn't possible and probably isn't free.. The same could be said for Apple, Google, or some other browser vendor that maintains a CA trust list. The best option for a CA trust bundle, currently, for the open source community is Mozilla, so Debian has chosen to narrow the scope of included CAs in #647848 by way of trusting that Mozilla is doing their best to vet CAs by way of inclusion and audit policies. There were two noted exceptions at that time, CAcert (by way of status quo) and SPI, a Debian trusted organization. I have been actively questioning the life of the SPI root certificate ca-certificates, as well, since again, I am not an auditor. I believe CAcert is an interesting and valuable project and I hope it succeeds in the long run - I have never questioned this. I empathize for CAcert users, and this has been an extremely difficult year-long decision. People are understandably upset at removal - I get it. I have also received a tremendous amount of support that removal was the correct thing to do. As the ca-certificates package maintainer, I stand by this decision as the correct one for Debian users. There cannot be a grey area with regard to open source licensing. I believe I'm a very reasonable person, but I'm also a fallible human. I'm a volunteer doing my best to maintain an important package for Debian users, basing my decisions on the Social Contract and DFSG. I currently believe that CAcert is non-free for redistribution, based on their license. I believe my ignoring the CAcert RDL was not the right thing to do. There would be nothing keeping someone from creating/maintaining a separate non-free package for their root certificates. Since they are non-free, they would not be able to be contained in ca-certificates in main. In my opinion, CAcert should change their licensing, if they wish distributions to redistribute their root certificates. If someone wants to do the legal legwork to prove, beyond a shadow of doubt, that the current CAcert RDL status quo is DFSG, please do so. I will be happy to read that legal opinion and consider our options. If CAcert continues work on their internal audits and gets to a state of passing their own audit guidelines, that would be a fantastic indicator that the project is viable and trustworthy by their own standards. I would enjoy reading about this and consider our options. If CAcert is included in the Mozilla certdata.txt, it will be included in Debian ASAP, as this is our current inclusion policy. -- Warm regards, Michael Shuler -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
