[Dev] [Pierre Schmitz] [arch-dev-public] CAcert dropped from certificate bundle
mtjm at mtjm.eu
Fri Apr 11 22:00:48 GMT 2014
> i read in the debian discussion i think, that the root distribution
> license for cacert could be considered unfree though it looked ok to
> me. the only weird thing is that it has an announcement clause which i
> think could be fullfilled in the post_install hook.
The discussion is probably , about .
The announcement clause is imo not a problem: it refers only to
"Embedded" certificates, i.e. "within a software application or hardware
system" which "is distributed in binary form only".
The bigger issue is a use restriction caused by the definition of
I think it should be safe to assume that mostly random and unoriginal
works like TLS certificates cannot be copyrighted, so we don't have to
obey that license.
> what do you think? should we unblacklist ca-certificates and provide
> cacert-dot-org in our base bundle (as a dependency for pacman?)?
I think only some of these solutions are acceptable:
1. Drop HTTPS use, add a news post asking users to change their
mirrorlists to use HTTP.
2. Include the CAcert certificates in a package in base, write a news
post asking users to upgrade/install it.
3. Get certificates from a CA included in Mozilla's ca-certificates.
All are bad, 2 is probably least bad.
> if you know of a gratis certificate authority that's also included in
> ca-certificates and allows for wildcard cert please let me know. for
> instance, we have a single certificate for *.parabola.nu that covers any
I don't know any (startssl.com has no gratis revocation , their
wildcard certificates require money and multiple ID documents).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 818 bytes
Desc: not available
More information about the Dev