cacerts bundled with OpenJDK
Donald Smith
donald.smith at oracle.com
Fri Jun 1 12:47:21 UTC 2012
I don't know if it's a case that I know too much about the world of CAs,
and am scared about what this would mean; or if it's a case I don't know
enough, so I'm scared about what this would mean. :)
I'm not convinced it would help avoid duplication. In many cases CAs
won't be wanted or needed, and I believe in most cases where CAs are
wanted by packagers (your case notwithstanding) they'll be wanting it
from the OS perspective, or using their own corporate certs.
You use Mozilla as an example (which I see more as a consumer/end user
product than most OSS). To which I would counter example with OpenSSL -
http://www.openssl.org/support/faq.html#USER16.
I would be interested in hearing other opinions.
- Don
On 01/06/2012 3:20 AM, Henri Gomez wrote:
>> Disclaimer that I haven't read the thread to which you're referring.
>>
>> I think a key difference between Mozilla and OpenJDK is that Mozilla
>> distributes packaged products to end users whereas OpenJDK is a
>> collaboration of platform providers at the source code level. Whereas
>> cacerts are fundamentally a packaged product thing, and not entirely
>> necessary, and fundamentally tied to whoever is distributing the binary, I
>> don't think it would or should apply. Whereas Mozilla is shipping product
>> almost exclusively to end users in the form of Firefox, Thunderbird, etc,
>> then I can understand why they would maintain certs with the products.
> Yep.
>
> Providing a default cacerts in OpenJDK with a set of well-known ROOT
> CAs would help packagers avoiding duplicate works on all
> distributions.
>
> I guess there is some packagers here, at least Andrew Hughes, what do
> you think about this ?
More information about the discuss
mailing list