Re: [Savannah-help-public] missing SSL cert from savannah site

- There's a link in the explanation text about what Savannah is, mentioning the SSL certificate that we use. But maybe you gentle visitor weren't interested in reading, so you - Click "Login": http://savannah.gnu.org/account/login.php?uri=/&cookie_test=1 There's tex

Re: [Savannah-help-public] missing SSL cert from savannah site

Regarding the cert stuff, 1) the "New User" link still leads to an https url. New users are at least as likely to click on that as "Login". 2) The text before the login form now reads: You are about to enter a secure https website, using a SSL certificate signed by CAcert.org

Re: [Savannah-help-public] missing SSL cert from savannah site

Hi, On Wed, Oct 21, 2009 at 12:57:57AM -0400, Richard Stallman wrote: > Last time we discussed it, we agreed on writing additional > documentation about it and linking it on the login page, which is the > page from which people get to the https: area (https access is not > required

Re: [Savannah-help-public] missing SSL cert from savannah site

Last time we discussed it, we agreed on writing additional documentation about it and linking it on the login page, which is the page from which people get to the https: area (https access is not required for normal browsing). While it took a few weeks of delays, this is now don

Re: [Savannah-help-public] missing SSL cert from savannah site

Hi, On Sun, Oct 18, 2009 at 10:39:04PM -0400, Richard Stallman wrote: > > I know nothing about this; I might not know how to do it. > > I hope you are not saying that people like me are unimportant > > when we judge what Savannah should do. > > No, not at all. It's perfectly OK n

Re: [Savannah-help-public] missing SSL cert from savannah site

> I know nothing about this; I might not know how to do it. > I hope you are not saying that people like me are unimportant > when we judge what Savannah should do. No, not at all. It's perfectly OK not to know or bother (but we provide simple instructions for those who care n

Re: [Savannah-help-public] missing SSL cert from savannah site

IOW, you suggest to continue feeding the monster and actively discourage community-driven CAs. I don't think our decision will have any effect on the success of CAcert. Support from sites like ours is not what it needs most, not now.

Re: [Savannah-help-public] missing SSL cert from savannah site

Richard Stallman wrote: > I know nothing about this; I might not know how to do it. > I hope you are not saying that people like me are unimportant > when we judge what Savannah should do. No, not at all. It's perfectly OK not to know or bother (but we provide simple instructions for those who ca

Re: [Savannah-help-public] missing SSL cert from savannah site

I rather think that the Mozilla decision is blindly based on a more widespread $75000 audit from Webtrust, which CAcert cannot afford. The independant audit requested them to make changes that were not required from other certification providers. That doesn't change anything for ou

Re: [Savannah-help-public] missing SSL cert from savannah site

More importantly, I fail to see what the problem is, really. If the user is clueless enough and doesn't understand how to validate a certificate, what good it does if we choose a certificate that is included in a (popular) particular program? I know nothing about this; I might not

Re: [Savannah-help-public] missing SSL cert from savannah site

Matt Lee wrote: > Until this situation changes, we should continue with the practice > of buying certificates like do for www.fsf.org IOW, you suggest to continue feeding the monster and actively discourage community-driven CAs.

Re: [Savannah-help-public] missing SSL cert from savannah site

Matt Lee writes: > We want people to trust the GNU project and the FSF. Broken SSL > certificates like this one, are just that -- breaking the trust > relationship between us and the general public. People will not trust more or less in the GNU project or the FSF if we use a certificate that it

Re: [Savannah-help-public] missing SSL cert from savannah site

Ultimately this comes down to the certificates not passing the security checks put in place by Mozilla. Until this situation changes, we should continue with the practice of buying certificates like do for www.fsf.org signature.asc Description: OpenPGP digital signature

Re: [Savannah-help-public] missing SSL cert from savannah site

Matt Lee wrote: > I don't think this is about clueless users, and I find it pretty sad > that we're talking about people like that. OK, I withdraw my words. What this is all about, really? > Free software is for everyone, and used by people who may seem > clueless about this problem, but it's be

Re: [Savannah-help-public] missing SSL cert from savannah site

On 10/16/09 13:05, Yavor Doganov wrote: > More importantly, I fail to see what the problem is, really. If the > user is clueless enough and doesn't understand how to validate a > certificate, what good it does if we choose a certificate that is > included in a (popular) particular program? I don

Re: [Savannah-help-public] missing SSL cert from savannah site

Sylvain Beucler wrote: > Mozilla follows money-based audit. Right, and because of this, they decided to make certificate errors in xulrunner 1.9 fatal (i.e. Firefox 3.x). The user has to jump through hoops to make the browser believe the certificate is valid, thus finally allowing access to the s

Re: [Savannah-help-public] missing SSL cert from savannah site

On Fri, Oct 16, 2009 at 09:45:02AM -0400, Matt Lee wrote: > On 10/16/2009 09:24 AM, Sylvain Beucler wrote: > > > And just because Mozilla is showing a warning to users doesn't mean we > > have to abide: they is also a warning that we should install Adobe > > Flash after a first install, and hopefu

Re: [Savannah-help-public] missing SSL cert from savannah site

On 10/16/2009 09:24 AM, Sylvain Beucler wrote: > And just because Mozilla is showing a warning to users doesn't mean we > have to abide: they is also a warning that we should install Adobe > Flash after a first install, and hopefully we won't be similarly > influenced. This is not just about Mozi

Re: [Savannah-help-public] missing SSL cert from savannah site

On 10/16/2009 04:47 AM, Richard Stallman wrote: > I did not notice that message from Karl before, but now that I see it, > I think we should get another certification for Savannah if it is feasible. > > Matt, is it feasible? Absolutely. I will talk to the sysadmins today about getting this ordere

Re: [Savannah-help-public] missing SSL cert from savannah site

On Fri, Oct 16, 2009 at 04:47:55AM -0400, Richard Stallman wrote: > I did not notice that message from Karl before, but now that I see it, > I think we should get another certification for Savannah if it is feasible. > > Matt, is it feasible? > > It seems that what CACERT needs is not support fro

Re: [Savannah-help-public] missing SSL cert from savannah site

I did not notice that message from Karl before, but now that I see it, I think we should get another certification for Savannah if it is feasible. Matt, is it feasible? It seems that what CACERT needs is not support from people like us, but rather to clean up its own act first. If CACERT someday

Re: [Savannah-help-public] missing SSL cert from savannah site

Hello Just another thought on this item: When the SSL cert only costs £12 from gandi.net .. is it really worth loosing so many developers and users from savannah.gnu.org until CAcert sort out what they are doing? Not sure if you know, but it is basically *impossible* for an IE user to get on to

Re: [Savannah-help-public] missing SSL cert from savannah site

On Tue, Oct 13, 2009 at 08:44:01PM -0400, Richard Stallman wrote: > Hello Karl, > > Thank you for going through all the background on this. > > What does that refer to? Did Karl send you something he > did not send to me? I would like to see it. Karl had sent the following which you re

Re: [Savannah-help-public] missing SSL cert from savannah site

Hello Karl, Thank you for going through all the background on this. What does that refer to? Did Karl send you something he did not send to me? I would like to see it.

Re: [Savannah-help-public] missing SSL cert from savannah site

Hello Karl, Thank you for going through all the background on this. CAcert does look a long way out of reach. If it's not about the money, is it just that you don't want to pay something for a centralised system? If that is the case, why do you use DNS, or any other system you have to pay fo

Re: [Savannah-help-public] missing SSL cert from savannah site

GNU Savannah per-se does not currently make use of Java applets, nor distributes installers for ms woe, the examples were given to defeat the point. If we don't have them on Savannah, we don't have to worry about them in regard to what we do on Savannah.

Re: [Savannah-help-public] missing SSL cert from savannah site

2009/9/28 Sylvain Beucler : >> > I'd also like a certificate for my Java applets, and also one for my >> > ms woe .exe installers which (like Firefox' or OpenOffice's) trigger a >> > bad-looking warning under recent versions/SPs of that OS.  If you can >> > buy that for each Savannah project that w

Re: [Savannah-help-public] missing SSL cert from savannah site

On Mon, Sep 28, 2009 at 05:59:13PM -0400, Richard Stallman wrote: > I'd also like a certificate for my Java applets, and also one for my > ms woe .exe installers which (like Firefox' or OpenOffice's) trigger a > bad-looking warning under recent versions/SPs of that OS. > > What are the

Re: [Savannah-help-public] missing SSL cert from savannah site

> I think the thing to do would be to convince Mozilla to include CAcert > root certificate in Firefox. > > Someone said that this was already being worked on. That would be ideal, but the CAcert web site does not show signs of substantial progress. CAcert withdrew thei

Re: [Savannah-help-public] missing SSL cert from savannah site

I'd also like a certificate for my Java applets, and also one for my ms woe .exe installers which (like Firefox' or OpenOffice's) trigger a bad-looking warning under recent versions/SPs of that OS. What are these Java applets? What are these .exe installers? I'd like to understand wha

Re: [Savannah-help-public] missing SSL cert from savannah site

> > I'd also like a certificate for my Java applets, and also one for my > > ms woe .exe installers which (like Firefox' or OpenOffice's) trigger a > > bad-looking warning under recent versions/SPs of that OS.  If you can > > buy that for each Savannah project that would be great.  I have to > > wa

Re: [Savannah-help-public] missing SSL cert from savannah site

Hi Sylvain Thank you for your reply. 2009/9/28 Sylvain Beucler : [..] >> On http://savannah.gnu.org/ click "Login". See attached error. Close >> browser and never return to the site. How many visitors does GNU >> loose because the HTTPS SSL cert is not authenticated as valid by a >> root cert in

Re: [Savannah-help-public] missing SSL cert from savannah site

On Sun, Sep 27, 2009 at 11:13:48PM +0100, Jon wrote: > Adding mattl to CC incase he has any ideas.. > > Richard Stallman wrote: > >I think the thing to do would be to convince Mozilla to > >include CAcert root certificate in Firefox. > > > >Someone said that this was already being worked o

Re: [Savannah-help-public] missing SSL cert from savannah site

Replying to my own email with more info. Jon wrote: [..] On http://savannah.gnu.org/ click "Login". See attached error. Close browser and never return to the site. How many visitors does GNU loose because the HTTPS SSL cert is not authenticated as valid by a root cert in browsers? It gets wo

Re: [Savannah-help-public] missing SSL cert from savannah site

Richard Stallman wrote: I think the thing to do would be to convince Mozilla to include CAcert root certificate in Firefox. Someone said that this was already being worked on. If additional support from us would help, we would be glad to give it. Can you find out who we should talk to?

Re: [Savannah-help-public] missing SSL cert from savannah site

I think the thing to do would be to convince Mozilla to include CAcert root certificate in Firefox. Someone said that this was already being worked on. If additional support from us would help, we would be glad to give it. Can you find out who we should talk to? Much better than try

Re: [Savannah-help-public] missing SSL cert from savannah site

Richard Stallman wrote: I will talk about this with the Savannah maintainers about what is best to do here. However, I don't think the use of CAcert is a significant obstacle to using Savannah. I think the thing to do would be to convince Mozilla to include CAcert root certificate in Firefo

Re: [Savannah-help-public] missing SSL cert from savannah site

I will talk about this with the Savannah maintainers about what is best to do here. However, I don't think the use of CAcert is a significant obstacle to using Savannah.

Re: [Savannah-help-public] missing SSL cert from savannah site

2009/8/28 Sylvain Beucler : > On Fri, Aug 28, 2009 at 12:23:33PM +0100, Jon Grant wrote: >> Hi Sylvian, thanks for your reply. >> >> 2009/8/28 Sylvain Beucler : >> [..] >> > The certificate is valid. >> > >> > As written on the homepage: >> > >> >  Our https certificate is signed by the CAcert

Re: [Savannah-help-public] missing SSL cert from savannah site

On Fri, Aug 28, 2009 at 12:23:33PM +0100, Jon Grant wrote: > Hi Sylvian, thanks for your reply. > > 2009/8/28 Sylvain Beucler : > [..] > > The certificate is valid. > > > > As written on the homepage: > > > > Our https certificate is signed by the CAcert > > authority, w

Re: [Savannah-help-public] missing SSL cert from savannah site

Hi Sylvian, thanks for your reply. 2009/8/28 Sylvain Beucler : [..] > The certificate is valid. > > As written on the homepage: > >  Our https certificate is signed by the CAcert >  authority, which you can import . CAcert is not shipped with

Re: [Savannah-help-public] missing SSL cert from savannah site

Hi, On Thu, Aug 27, 2009 at 06:34:49PM +0100, Jon Grant wrote: > https://savannah.gnu.org/account/login.php?uri=/bugs/?func=additem&group=make&cookie_test=1 > Hello > > do you know your site doesn't have a valid SSL cert? Could you buy > one? there is a big Firefox warning at present. Would you l

[Savannah-help-public] missing SSL cert from savannah site

https://savannah.gnu.org/account/login.php?uri=/bugs/?func=additem&group=make&cookie_test=1 Hello do you know your site doesn't have a valid SSL cert? Could you buy one? there is a big Firefox warning at present. Would you like me to donate hte cost of hte SSL cert? atm, it only means people will