> i read in the debian discussion i think, that the root distribution > license for cacert could be considered unfree though it looked ok to > me. the only weird thing is that it has an announcement clause which i > think could be fullfilled in the post_install hook.
The discussion is probably [0], about [1]. The announcement clause is imo not a problem: it refers only to "Embedded" certificates, i.e. "within a software application or hardware system" which "is distributed in binary form only". The bigger issue is a use restriction caused by the definition of "RELY". I think it should be safe to assume that mostly random and unoriginal works like TLS certificates cannot be copyrighted, so we don't have to obey that license. > what do you think? should we unblacklist ca-certificates and provide > cacert-dot-org in our base bundle (as a dependency for pacman?)? I think only some of these solutions are acceptable: 1. Drop HTTPS use, add a news post asking users to change their mirrorlists to use HTTP. 2. Include the CAcert certificates in a package in base, write a news post asking users to upgrade/install it. 3. Get certificates from a CA included in Mozilla's ca-certificates. All are bad, 2 is probably least bad. > if you know of a gratis certificate authority that's also included in > ca-certificates and allows for wildcard cert please let me know. for > instance, we have a single certificate for *.parabola.nu that covers any > subdomain. I don't know any (startssl.com has no gratis revocation [2], their wildcard certificates require money and multiple ID documents). [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687693 [1] https://www.cacert.org/policy/RootDistributionLicense.php [2] https://www.mirbsd.org/permalinks/wlog-10_e20140409-tg.htm
pgphRoAnqt1Oh.pgp
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabolagnulinux.org/mailman/listinfo/dev
