Licensing and a secure package-management infrastructure
We have a really good toolset for internal use that lets us manage
certificates, cert chains, keys etc. relatively easily. Our whole CA
infrastructure is built on it. We're looking at packing it up for
commercial external release as a "Python BSAFE".
One neat application I thought of was the creation of "Authenticode for
Debian". Digitally signing packages using full cert chaining rather than
PGP. I would be happy to take that on as a pet project, integrating it
Since the thing is built outside the USA, it is available anywhere.
Signatures can use DSA which avoids the RSA patent.
There's only one problem: no way can we release the thing under GPL.
We'd be happy to license it to Debian free of charge for this purpose, but
commercial applications couldn't then use it free of charge. IOW, you
couldn't write a commercial app which requires our CryptoKit and use the
Debian version of it. The licence would cover only usage by the Debian
Is this worth pursuing? I think it would be a huge leap over RedHat if
you could allow people to control the security of their systems in this
Also, we'd provide free membership in our Basic Personal Certification
program to facilitate the developers getting free certs to support it all.
in short, there'd be no cost to the Debian project, and I'd do the
development for fun, but it couldn't be GPL. Comments?
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
Trouble? e-mail to firstname.lastname@example.org .