Eric Dorland wrote:
* Gervase Markham (gerv@mozilla.org) wrote:Debian already has rights that their users don't have, the most prominent among them being to label a Linux distribution as "Debian" (or "official Debian", or whatever it is you guys use). :-)When I said rights, I meant rights to the software in main. That's what Debian cares about. I should of been more clear.
So it's OK for Debian to use trademarks to protect their free software brand, but not OK for those whose software is included in Debian?
They do have concerns about the trustability of CAcert certs. I'mmostly convinced they're no worse than other CA's.What we have a problem with (in the context of including the cert in Firefox) is the fact that CAcert haven't been audited, so the risk of including them is unquantifiable. Please see the CAcert list for recent discussions on this topic.Can you please point me to the document where you went and verifiedthat all your current CA's have been audited and met your CA policy?
We haven't yet audited the current CAs; the decision was taken (given how long it took to develop the policy) to prioritise new CAs. Current CAs at least have the evidence of history to back up their trustworthiness.
Here's another situation you might want to consider. What if Debian decided one of your CA's was not trustworthy and removed it? Would that be grounds for losing the trademark?
That's a very different issue; we have considered it, of course. The answer would probably depend on how used the root was - i.e. how far removing it degraded the user experience - combined with the reasons for removal. But we haven't thought about this one as hard, because it hasn't come up in practice.
Gerv