-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 First, thanks for this detail post. It really helps to go forward. (And you might know me now enough, that you could know that I mean the thruth with the "thanks".)
Am Di den 1. Apr 2014 um 16:01 schrieb Michael Shuler: > I followed the thought that the CAcert root distibution license should > be ignored and closed #687693. That action was primarily to preserve > the status quo. I remain unconvinced that that decision was actually > correct, from a legal perspective, as I stated in #718434, and legal > ambiguity was one of my decision points in removal. There are other > open source projects that have deemed CAcert as non-free, and my own > research for that bug continue to lead me to believe that distribution > of their roots fall under a non-free license. Every time I looked at > the source of the ca-certificates package, the fact that I was > consciously ignoring a non-free licence did not feel right. Ubuntu > deemed the questionable nature of CAcert inclusion enough to patch > CAcert out of ca-certificates and nss in their distribution, prior to > this action in Debian. Ubuntu's removal prompted me to finally make a > decision and not keep sitting on my questions of what to do. I see > Ubuntu users as Debian users, so a very large group of Debian users > already had CAcert removed from their systems. > > 1. Debian will remain 100% free > 3. We will not hide problems > 5. Works that do not meet our free software standards (non-free) I am not a lawer, but I think, that the license of CAcert is not more or less compatible to include it into debian than any other license. Moreover, with other CAs it is not possible to talk about changing there license but with CAcert we can, can't we? > By CAcert's own documentation, they cannot pass their own audits. > IanG's background with CAcert, and his post to #718434, encapsulate > the quandaries with including CAcert in Debian better than I can state > myself. I do not questioned this. The problem is that CAcert is the only CA that could be audited. With this knowledge in mind I would suggest tu just change the state from "default enabled" to "default disabled". This would make no harm to existing systems and give the admin the way to enable it. > I do not have the time to audit CAs, nor do I think that would be a > valuable way to spend my time. Yes, I think the same. But just looking at the leaks that came out in the last months, there would be much more urgent candidates for a removal. Again, I would still include them but disabled by default => no harm for existing systems but increased security for new systems. > I must rely on someone or an organization that has defined practices > to accomplish a level of trust for the contents of the ca-certificates > package. That organization could be Microsoft and we could included > their CA bundle, but that isn't possible and probably isn't free.. > The same could be said for Apple, Google, or some other browser vendor > that maintains a CA trust list. The best option for a CA trust bundle, > currently, for the open source community is Mozilla, so Debian has > chosen to narrow the scope of included CAs in #647848 by way of > trusting that Mozilla is doing their best to vet CAs by way of > inclusion and audit policies. I (personally) do not trust Mozilla better than any other big browser company. The inclusion of CAs in Mozilla is also a fact of money than in other browsers. And the fact that they failed, is shown by the fact that such CAs ad Turktrust or CNNIC or Verisign is in that list. (Ok, Verisign for mozilla means to big to fail.) > I believe CAcert is an interesting and valuable project and I hope it > succeeds in the long run - I have never questioned this. > > I empathize for CAcert users, and this has been an extremely difficult > year-long decision. People are understandably upset at removal - I get > it. I have also received a tremendous amount of support that removal > was the correct thing to do. As the ca-certificates package > maintainer, I stand by this decision as the correct one for Debian > users. There cannot be a grey area with regard to open source > licensing. See above ... > I believe I'm a very reasonable person, but I'm also a fallible human. I believe that and I am sorry if my posts might appeared to questioning that. It was never my goal to questioning you as person. What I did, and what I do stand behind, is, that the decision to remove the cert was really, really wrong. But just a question, how do you think to act with all the other unfree certificates? I think, from this point of view all certificates has to be removed or at least the most. > In my opinion, CAcert should change their licensing, if they wish > distributions to redistribute their root certificates. Does you contact them to ask? I would believe that they would be willing to do. > If CAcert continues work on their internal audits and gets to a state > of passing their own audit guidelines, that would be a fantastic > indicator that the project is viable and trustworthy by their own > standards. I would enjoy reading about this and consider our options. Well, and thats the good point behind all this, they are moving now. > If CAcert is included in the Mozilla certdata.txt, That would possibly never happen as CAcert cannot spend all the money it costs to get into mozilla keyring. > it will be included in Debian ASAP, as this is our current inclusion > policy. Debian should be independent from mozilla. There is no need to just run behind them without using the own brain. Regards Klaus - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <[email protected]> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCgAGBQJTOuBJAAoJEKZ8CrGAGfas1GUL/RMGhb/xgpV4E6315sUBubXU LJd9jrL/v/9doMub6iBI9zfGZ2dgqgY7tHhDHLrRbF2pLEeOD5qev9gxs7O/bBjj s/2hkBZK1v6qq39gGtfAxVGsWb2o/OKpEVfQrTQ0MvJCMO0ucNH3SDR9iGNyN5cq 4yCY+D4O6Rw9H7ea0yWiJSToHdKwaIb3GtI91UGnz4W3Z3GnRC6HwvD1cN9ypRll ph1zH39apEIrAudN9/K6ODP41zyLZWgvqEAsvwZI+jLiIYIaWq1MFk9ZNAbJLNYR i7aWcLIMNnMrYFzJ2ISyAfpgS9yuQLGyLmje2YVAXjcnhLZvZkdm9Wbg4O6VRneO Wikwf9T7+acWyttbFaeEcTp7+FNUgNv9gDWPwBMkANzYvEQV1T9yKJJzu3LOlXH8 BQK1bKulMvc26cvSGQuFjh5TaEALJb2ca3qMlduetJgR2KaX/qizknrWl8tDrDhk zaof77TV/NJCjIlCgQUh9R4hjlyZBYcSZ27uah+TzQ== =qOeU -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
