[Bug 474549] Review Request: ca-cacert.org - CAcert.org CA root certificates
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=474549
David Woodhouse changed:
What|Removed |Added
CC||dw...@infradead.org
Depends on||466626
--- Comment #12 from David Woodhouse 2010-01-08 14:09:51
EDT ---
Technical review... you include these files:
%{pkidir}/tls/certs/%{name}-class1.crt
%{pkidir}/tls/certs/%{class1hash}.0
But that is broken. Nothing will ever use the first, and I'm not even sure if
they'll use the second. Besides, the hash function used is a fairly weak one
and it's quite likely that there will be collisions. You can't just assume that
you can use %{hash}.0 as the file name.
We need a script to rebuild the /etc/pki/tls/cert.pem file from a configurable
list of original certs, like Debian has (see bug #466626). And you should be
using that in your %post script.
You also need to add it to the system-wide NSS database. We have that working
now, and hopefully we'll deploy it in firefox/thunderbird/evolution in time for
Fedora 13. Then we can just add the new cert to the central database in
/etc/pki/nssdb/ and it'll actually work for everything which uses NSS. Our
solution for bug #466626 will need to do that too, presumably.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are on the CC list for the bug.
___
Fedora-package-review mailing list
Fedora-package-review@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 474549] Review Request: ca-cacert.org - CAcert.org CA root certificates
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=474549 Tom "spot" Callaway changed: What|Removed |Added CC||tcall...@redhat.com --- Comment #11 from Tom "spot" Callaway 2009-11-28 21:02:50 EDT --- Agreed. The above draft license gives me a headache. I really hope they find a lawyer at some point. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 474549] Review Request: ca-cacert.org - CAcert.org CA root certificates
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=474549 --- Comment #10 from Matthias Saou 2009-11-24 14:42:23 EDT --- I've just re-read the latest version of the document linked above, and not only do I still not know if it'll become official at any point, it also still seems like a big mess to me. >From the main website, the current "policy" still seems to be this one : http://www.cacert.org/policy/NRPDisclaimerAndLicence.php Which still contains the very confusion and saddening "You may NOT distribute certificates or root keys under this licence, nor make representation about them.". So my feeling is that we're still at the exact same point as before. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 474549] Review Request: ca-cacert.org - CAcert.org CA root certificates
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=474549 Jason Tibbitts changed: What|Removed |Added Blocks||182235(FE-Legal) --- Comment #9 from Jason Tibbitts 2009-11-20 10:28:21 EDT --- Could someone perhaps update the status of this ticket? There's a ticket before FESCo relating to the CAcert certificates and it would be good to know where things stand today. Given that as of the last comment there were still license issues, I'm going to block FE-Legal so perhaps we can get a more formal statement of what needs to change before this can be considered acceptable for Fedora. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 474549] Review Request: ca-cacert.org - CAcert.org CA root certificates
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=474549 Itamar Reis Peixoto changed: What|Removed |Added CC||ita...@ispbrasil.com.br --- Comment #8 from Itamar Reis Peixoto 2009-03-20 13:08:10 EDT --- http://svn.cacert.org/CAcert/Policies/Agreements/3PVDisclaimerAndLicence.html -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 474549] Review Request: ca-cacert.org - CAcert.org CA root certificates
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=474549 --- Comment #7 from Matthias Saou 2009-02-09 07:10:43 EDT --- (In reply to comment #6) > Matthias: Do you have any official response from the cacert support > mailinglist > yet? The last feedback was what I posted here, that it was "work-in-progress" to get the situation fixed. If you have any further news and/or want to get in touch again with cacert about this, please post any info here! -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 474549] Review Request: ca-cacert.org - CAcert.org CA root certificates
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=474549 Tobias Mueller changed: What|Removed |Added CC||fedora-b...@cryptobitch.de --- Comment #6 from Tobias Mueller 2009-02-08 16:55:47 EDT --- Matthias: Do you have any official response from the cacert support mailinglist yet? I'd love to see the cacert certs shipped with fedora... -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 474549] Review Request: ca-cacert.org - CAcert.org CA root certificates
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=474549 Jason Tibbitts changed: What|Removed |Added Status Whiteboard||NotReady --- Comment #5 from Jason Tibbitts 2008-12-19 15:57:00 EDT --- How about this. You can close it if you like, but if you'd like a reviewer to look at this ticket, just clear the whiteboard. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 474549] Review Request: ca-cacert.org - CAcert.org CA root certificates
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=474549 --- Comment #4 from Matthias Saou 2008-12-19 06:55:07 EDT --- Just got a semi-official answer from Tomáš Trnka : -- [... Matthias ...] > IANAL, which is why I'm asking here, but it seems quite strange to not > be able to distribute the root certificates if the goal is to some day > have them distributed with major web browsers... Hello! Yes, this is correct. The current NRPDaL doesn't permit redistribution. This is because CAcert is currently undergoing an audit and the NRPDaL is supposed to pass this audit too. Non-related parties are really not supposed to distribute anything, but Fedora is not a "non-related party" - third-party software vendors are to be covered (and permitted cert redistribution) in the 3PVDaL, which is currently work-in-progress. As soon as the policy group finishes the work and the 3PVDaL passes to DRAFT (active) status, the problem mentioned by you will be solved. -- So I'm unsure what to do about this... leave this review open until things change? Close it then reopen it once it can move forward again? -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 474549] Review Request: ca-cacert.org - CAcert.org CA root certificates
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=474549 --- Comment #3 from Matthias Saou <[EMAIL PROTECTED]> 2008-12-10 10:11:07 EDT --- Legal seems to think that the license is not appropriate for inclusion in Fedora. I'll ask on the CAcert support list now in case anyone there can give a clarification. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 474549] Review Request: ca-cacert.org - CAcert.org CA root certificates
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=474549 --- Comment #2 from Matthias Saou <[EMAIL PROTECTED]> 2008-12-09 06:57:48 EDT --- (In reply to comment #1) > How did you determine that the certs are public domain? By looking at the "ca-certificates" package, in which cacert.org would like to ultimately include their root certificate. But indeed, I was wrong. I've updated the package to include a NRP-DaL.txt file where I copied the content of the website's "Disclaimer and Licence" page. I don't know if this is suitable for Fedora or not, so I've sent an email to the legal-list to ask about it. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 474549] Review Request: ca-cacert.org - CAcert.org CA root certificates
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=474549 --- Comment #1 from Jason Tibbitts <[EMAIL PROTECTED]> 2008-12-06 19:53:10 EDT --- This builds fine; rpmlint says: ca-cacert.org.noarch: W: no-documentation ca-cacert.org-class1.noarch: W: no-documentation ca-cacert.org-class1.noarch: W: non-conffile-in-etc /etc/pki/tls/certs/ca-cacert-class1.crt ca-cacert.org-class3.noarch: W: no-documentation ca-cacert.org-class3.noarch: W: non-conffile-in-etc /etc/pki/tls/certs/ca-cacert-class3.crt None of which is troubling or all that surprising. How did you determine that the certs are public domain? The files themselves have no information, but the upstream web page does have a license and indicates that it governs the use of the same keys included in this package. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
