Richard Stallman wrote: > I know nothing about this; I might not know how to do it. > I hope you are not saying that people like me are unimportant > when we judge what Savannah should do.
No, not at all. It's perfectly OK not to know or bother (but we provide simple instructions for those who care nevertheless). In which case it does not matter if the certificate is issued by a CA in the browser's certificate store or whatever. For years, we've been using self-signed certificate generated by Sylvain (first with openssl, then with gnutls-cli) and there were no problems. When the Firefox developers implemented this nefarious behavior in Gecko 1.9, we switched to a certificate issued by the most popular CA in the free world. Now faithful Firefox users are blackmailing various sites to switch to a CA approved by them in order to avoid the unpleasant warnings, instead of complaining to the Mozilla developers. So the question is whether we should accept to be blackmailed or not. I don't care, personally, although I think it is a step behind if we surrender to the trend. Perhaps it's worth mentioning that CAcert's root certificate is included in most major distros, and all browsers are modified to check the system's certificate store. So in practice it does not matter much that it's not included in Mozilla, as most people use packaged browsers provided by the distro. (And I still don't understand why a particular Mozilla decision should influence us. Our certificate is absolutely valid on all counts.)
