[Dev] [Pierre Schmitz] [arch-dev-public] CAcert dropped from certificate bundle

Michał Masłowski mtjm at mtjm.eu
Fri Apr 11 22:00:48 GMT 2014

> i read in the debian discussion i think, that the root distribution
> license for cacert could be considered unfree though it looked ok to
> me.  the only weird thing is that it has an announcement clause which i
> think could be fullfilled in the post_install hook.

The discussion is probably [0], about [1].

The announcement clause is imo not a problem: it refers only to
"Embedded" certificates, i.e. "within a software application or hardware
system" which "is distributed in binary form only".

The bigger issue is a use restriction caused by the definition of

I think it should be safe to assume that mostly random and unoriginal
works like TLS certificates cannot be copyrighted, so we don't have to
obey that license.

> what do you think?  should we unblacklist ca-certificates and provide
> cacert-dot-org in our base bundle (as a dependency for pacman?)?

I think only some of these solutions are acceptable:

1. Drop HTTPS use, add a news post asking users to change their
   mirrorlists to use HTTP.
2. Include the CAcert certificates in a package in base, write a news
   post asking users to upgrade/install it.
3. Get certificates from a CA included in Mozilla's ca-certificates.

All are bad, 2 is probably least bad.

> if you know of a gratis certificate authority that's also included in
> ca-certificates and allows for wildcard cert please let me know.  for
> instance, we have a single certificate for *.parabola.nu that covers any
> subdomain.

I don't know any (startssl.com has no gratis revocation [2], their
wildcard certificates require money and multiple ID documents).

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687693
[1] https://www.cacert.org/policy/RootDistributionLicense.php
[2] https://www.mirbsd.org/permalinks/wlog-10_e20140409-tg.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20140412/00605eaa/attachment.sig>

More information about the Dev mailing list