[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [pkg-go] Bug#856139: certspotter: long description advertises commercial service

On Fri, Aug 11, 2017 at 08:03:09AM -0400, Wouter Verhelst wrote:
> If a free software implementation of the remote service exists that a
> package can work with, then it can remain in main. If not, it cannot.

There are no free software server-side implementation of e.g. the ICQ
protocol, as far as I know, but multiple client-side implementations in
main. For that matter, there is no free software server-side
implementation of QUIC, so I guess by that rule, Chromium should be in
contrib as well. Pretty sure that there isn't any kind of consensus for
any of that.

As for certspotter, the conversation has derailed quite a bit -- in part
because Jonas forwarded this to debian-project while stripping almost
the entirety of my reply on the bug, then stripping again all of the
context when days later, he started a new thread from scratch on
debian-devel. Not cool.

To clear things up:
- certspotter is free software, and is used to check Certificate
  Transparency logs, notifying the user if any certificates in the wild
  have been observed matching a domain of theirs.

- The author of certspotter also runs the SSLMate as a commercial
  offering, which hosts a version of certspotter for anyone to use. It's
  free for up to 5 domains, then charging for more, for presumably
  larger enterprises (but these can still opt to run it themselves,
  using certspotter). The SSLMate website, in the menu under "Cert
  Spotter", has "Pricing", "API", "Open Source", in that order, with the
  latter pointing to the GitHub page of certspotter.

- People called SSLMate "non-free" and objected to the certspotter
  description pointing to it. While it is true that it is non-free to
  some extent, as the web dashboard and code that glues certspotter to
  it isn't free (AFAIK), the most interesting and complicated part of it
  (a pretty flexible CT log client) is.

- certspotter does not connect to SSLMate in any way. certspotter
  (either the one locally installed, or the one run by SSLMate) connect
  to the various CT Logs run by CAs, Google etc. In fact, it connects to
  the same CT log servers that Chromium does.

- Certificate Transparency is an IETF protocol (RFC 6962) and is
  implemented, as a client, by both Chromium and Firefox. Google has
  released a a number of freely licensed client libraries, as well as
  their reference implementation of the CT Log server. Even if the
  blanket rule that Wouter mentioned existed, certspotter would satisfy

- I don't have any personal or business connection to SSLMate or
  certspotter, other than using the software and maintaining the
  package. I haven't communicated with my upstream about this issue
  either and my comment on the bug report are just my views. I just want
  to be fair to a nice upstream, who has graciously released part of
  their business as free (as in speech and as in beer) software, for
  anyone to use instead of using their service.

I read both of the threads so far (sadly, as most of it was offtopic and
a waste of precious DebCamp/DebConf time) and from all the suggestions,
I really appreciated and valued Chris Lamb's response about dropping the
"requires zero setup" bit. I intend to drop that part on the next
upload, whenever that happens.


Reply to: