Yuri Vasilevski wrote:
Now, being a little bit less ideological, I think it is perfectly ok to
add certificates from some organizations like CACert.org that try to
make security free for all Internet users as well as open source
projects' certificates (like debian ones). But it should be up to
businesses to buy they're way into openssl by the means of this
"sponsoring".
So my suggestions is to add root certificates only for non for profit
organizations. (For intermediate certificates that already have root
certificate bundled with openssl it ok in all cases). Or at last don't
make it a RDEPEND but an einfo "you may want to intall X for Y reason".
this will inadvertently fix this fun bug:
http://bugs.gentoo.org/101457
and probably more in the future
In this king of cases it is probably better to ask upstream to bug
they're CA to "sponsor" openssl or use some free CA.
Yuri.
I was unaware that openssl worked that way, ie "sponsor in exchange for
inclusion". This seems like a fair and honest way for them to raise
funds but gives companies the ability to use openssl even if they don't
sponsor. But *must* we honor that? Has anyone asked them?
I agree with this point 1000000%: Any organization that is free to the
public should be included. But should we exclude the ones that are
for-profit? I don't know but I have some pros and cons about including it.
It would be good PR for Gentoo to honor that funding scheme. Helping a
fellow FOSS project in this way is just being "neighbourly" and will
keep us out of slashdot. Plus it makes me feel warm and fuzzy inside.
Don't include it at all or make it optional with a USE flag.
Good PR aside including all the certificates is better for the user
because they don't have to manually search for the certificate and
install it. Not to mention the wget bug with realplayer. I don't know
about anyone else but when something Just Works(tm) I am happy. Install
it by default or make it optional with a USE flag.
Would it be best to make it into a USE flag so users have the choice,
install it by default or simply not offer it at all?
Both sides should be happy with a USE flag IMHO. So long as it closes
the wget bug I'm all for it.
--
gentoo-dev@gentoo.org mailing list
