[gentoo-dev] heads up: adding ca-certificates as a PDEPEND to openssl
just a heads up ... i'm going to be adding the ca-certificates package as a PDEPEND to the openssl package so most everyone in Gentoo will end up with it on their system for those wondering what this is: http://packages.debian.org/unstable/misc/ca-certificates basically it's additional certificates that arent part of the default openssl distribution for those who may bitch about bloating: $ qsize app-misc/ca-certificates app-misc/ca-certificates-20050804: 107 files, 17 non-files, 159.920 KB this will inadvertently fix this fun bug: http://bugs.gentoo.org/101457 and probably more in the future -mike -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] heads up: adding ca-certificates as a PDEPEND to openssl
Hi, On Fri, 30 Dec 2005 17:34:59 -0500 Mike Frysinger [EMAIL PROTECTED] wrote: just a heads up ... i'm going to be adding the ca-certificates package as a PDEPEND to the openssl package so most everyone in Gentoo will end up with it on their system for those wondering what this is: http://packages.debian.org/unstable/misc/ca-certificates basically it's additional certificates that arent part of the default openssl distribution I'm not so sure that this is a good idea, as adding CA root certificates is a way to make (good) money for some free projects and unfortunately for some non free ones too. I'm not sure if openssl charges certificate inclusion, but if it does this will interfere with the founding policies (and then development) of openssl. Now, being a little bit less ideological, I think it is perfectly ok to add certificates from some organizations like CACert.org that try to make security free for all Internet users as well as open source projects' certificates (like debian ones). But it should be up to businesses to buy they're way into openssl by the means of this sponsoring. So my suggestions is to add root certificates only for non for profit organizations. (For intermediate certificates that already have root certificate bundled with openssl it ok in all cases). Or at last don't make it a RDEPEND but an einfo you may want to intall X for Y reason. this will inadvertently fix this fun bug: http://bugs.gentoo.org/101457 and probably more in the future In this king of cases it is probably better to ask upstream to bug they're CA to sponsor openssl or use some free CA. Yuri. -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] heads up: adding ca-certificates as a PDEPEND to openssl
Yuri Vasilevski wrote: Now, being a little bit less ideological, I think it is perfectly ok to add certificates from some organizations like CACert.org that try to make security free for all Internet users as well as open source projects' certificates (like debian ones). But it should be up to businesses to buy they're way into openssl by the means of this sponsoring. So my suggestions is to add root certificates only for non for profit organizations. (For intermediate certificates that already have root certificate bundled with openssl it ok in all cases). Or at last don't make it a RDEPEND but an einfo you may want to intall X for Y reason. this will inadvertently fix this fun bug: http://bugs.gentoo.org/101457 and probably more in the future In this king of cases it is probably better to ask upstream to bug they're CA to sponsor openssl or use some free CA. Yuri. I was unaware that openssl worked that way, ie sponsor in exchange for inclusion. This seems like a fair and honest way for them to raise funds but gives companies the ability to use openssl even if they don't sponsor. But *must* we honor that? Has anyone asked them? I agree with this point 100%: Any organization that is free to the public should be included. But should we exclude the ones that are for-profit? I don't know but I have some pros and cons about including it. It would be good PR for Gentoo to honor that funding scheme. Helping a fellow FOSS project in this way is just being neighbourly and will keep us out of slashdot. Plus it makes me feel warm and fuzzy inside. Don't include it at all or make it optional with a USE flag. Good PR aside including all the certificates is better for the user because they don't have to manually search for the certificate and install it. Not to mention the wget bug with realplayer. I don't know about anyone else but when something Just Works(tm) I am happy. Install it by default or make it optional with a USE flag. Would it be best to make it into a USE flag so users have the choice, install it by default or simply not offer it at all? Both sides should be happy with a USE flag IMHO. So long as it closes the wget bug I'm all for it. -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] heads up: adding ca-certificates as a PDEPEND to openssl
On Friday 30 December 2005 23:17, Curtis Napier wrote: Would it be best to make it into a USE flag so users have the choice, install it by default or simply not offer it at all? Both sides should be happy with a USE flag IMHO. So long as it closes the wget bug I'm all for it. a USE flag is pointless, it has the same effect as having the user emerge the ca-certs package itself -mike -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] heads up: adding ca-certificates as a PDEPEND to openssl
Curtis Napier wrote: Yuri Vasilevski wrote: Now, being a little bit less ideological, I think it is perfectly ok to add certificates from some organizations like CACert.org that try to make security free for all Internet users as well as open source projects' certificates (like debian ones). But it should be up to businesses to buy they're way into openssl by the means of this sponsoring. So my suggestions is to add root certificates only for non for profit organizations. (For intermediate certificates that already have root certificate bundled with openssl it ok in all cases). Or at last don't make it a RDEPEND but an einfo you may want to intall X for Y reason. this will inadvertently fix this fun bug: http://bugs.gentoo.org/101457 and probably more in the future In this king of cases it is probably better to ask upstream to bug they're CA to sponsor openssl or use some free CA. Yuri. I was unaware that openssl worked that way, ie sponsor in exchange for inclusion. This seems like a fair and honest way for them to raise funds but gives companies the ability to use openssl even if they don't sponsor. But *must* we honor that? Has anyone asked them? I agree with this point 100%: Any organization that is free to the public should be included. But should we exclude the ones that are for-profit? I don't know but I have some pros and cons about including it. It would be good PR for Gentoo to honor that funding scheme. Helping a fellow FOSS project in this way is just being neighbourly and will keep us out of slashdot. Plus it makes me feel warm and fuzzy inside. Don't include it at all or make it optional with a USE flag. Good PR aside including all the certificates is better for the user because they don't have to manually search for the certificate and install it. Not to mention the wget bug with realplayer. I don't know about anyone else but when something Just Works(tm) I am happy. Install it by default or make it optional with a USE flag. Would it be best to make it into a USE flag so users have the choice, install it by default or simply not offer it at all? Both sides should be happy with a USE flag IMHO. So long as it closes the wget bug I'm all for it. Where do government organization Certs fit in? I generally have to manually install the Dept of Defense Cert in most of my installs. They don't care but they also don't toss them out for free to projects. Just playing Devil's Advocate. -- Doug Goldstein [EMAIL PROTECTED] http://dev.gentoo.org/~cardoe/ -- gentoo-dev@gentoo.org mailing list
