[Dev] [Pierre Schmitz] [arch-dev-public] CAcert dropped from certificate bundle
Michał Masłowski
mtjm at mtjm.eu
Fri Apr 11 22:00:48 GMT 2014
> i read in the debian discussion i think, that the root distribution
> license for cacert could be considered unfree though it looked ok to
> me. the only weird thing is that it has an announcement clause which i
> think could be fullfilled in the post_install hook.
The discussion is probably [0], about [1].
The announcement clause is imo not a problem: it refers only to
"Embedded" certificates, i.e. "within a software application or hardware
system" which "is distributed in binary form only".
The bigger issue is a use restriction caused by the definition of
"RELY".
I think it should be safe to assume that mostly random and unoriginal
works like TLS certificates cannot be copyrighted, so we don't have to
obey that license.
> what do you think? should we unblacklist ca-certificates and provide
> cacert-dot-org in our base bundle (as a dependency for pacman?)?
I think only some of these solutions are acceptable:
1. Drop HTTPS use, add a news post asking users to change their
mirrorlists to use HTTP.
2. Include the CAcert certificates in a package in base, write a news
post asking users to upgrade/install it.
3. Get certificates from a CA included in Mozilla's ca-certificates.
All are bad, 2 is probably least bad.
> if you know of a gratis certificate authority that's also included in
> ca-certificates and allows for wildcard cert please let me know. for
> instance, we have a single certificate for *.parabola.nu that covers any
> subdomain.
I don't know any (startssl.com has no gratis revocation [2], their
wildcard certificates require money and multiple ID documents).
[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687693
[1] https://www.cacert.org/policy/RootDistributionLicense.php
[2] https://www.mirbsd.org/permalinks/wlog-10_e20140409-tg.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20140412/00605eaa/attachment.sig>
More information about the Dev
mailing list