Bug#990409: ca-cacert: should this package be removed?

Wed, 11 Aug 2021 05:54:13 -0700 

Hi,

Timo Röhling wrote:
> * Axel Beckert <a...@debian.org> [2021-08-11 13:27]:
> > I strongly disagree. CAcert offers way more types of certificates than
> > Let's Encrypt. For example does Let's Encrypt not provide any
> > certificates suitable for use as personal S/MIME e-mail certificates.
>
> Have you tried creating a personal S/MIME e-mail certificate lately?

Nope.

> Because I tried, and neither IE nor Edge nor Firefox nor Chrome nor Opera
> support the required HTML <keygen> tag any more.

That's the same for sso.debian.org. So should we close down that one,
too?

>From my point of view that's a failure of the browser makers and not
of CAcert or sso.debian.org. So users now need to call manually
openssl themselves.

> > But instead it offers longer living certificates for hosts not
> > directly reachable from the internet — which is a hell to achieve with
> > Let's Encrypt.
>
> Private hosts are usually managed with a private CA, which gives you
> much more control and versatility.

Not everyone is capable of running their own CA. Have you every tried
"easyrsa"? It's anything but easy. (And I personally rather run an
internal CA based on CAcert's scripts — which I actually do — than on
easyrsa. Tried easyrsa mostly for OpenVPN and nearly ditched OpenVPN
just because they recommend this crap.)

> Many companies do this,

Yeah, and often with worse outcome than with CAcert...

> and CAcert offers no advantage, since you'd still have to distribute
> their root certificates to all your clients.

If it's available as a Debian package, that's a clear advantage from
my point of view. :-)

> > Again, I strongly disagree. I rather hope that Dmitry gets it back
> > into shape and then also offers it via bullseye-backports.
>
> Well, if you, Dmitry, or anyone else feels that their time is well
> spent on this package, by all means, go ahead. I just happen to
> think that your contributions would be more valuable elsewhere.

I already have too many packages, so yes, I agree here. This though
does not change my opinion on this package (or on a lot of other
packages in Debian which I don't maintain, but consider important for
myself as well as the community in general).

                Regards, Axel
-- 
 ,''`.  |  Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Reply via email to