[Board] OSGeo signing certificates (discussion)

Thu Oct 15 09:49:58 PDT 2015

Thanks, could the boardwalk with the SAC to obtain a useful certificate?
For this discussion/motion I am seeking the direction "this is something we
should do" from the board.

I am in a small conflict of interest here as a "community lead" at
boundless we have also offered to sign bundles as a member of the QGIS
community. The board could also ask the qgis non-profit to obtain a
certificate and sign, but I would prefer if we stick with the OSGeo
branding (which helps many more projects then just QGIS).

--
Jody Garnett

On 15 October 2015 at 09:45, Brian M Hamlin <maplabs at light42.com> wrote:

> Hi All -
>
>
>
>   thank you to the new Board facing a list of things to attend to..
>
>
>
> I have to say that the motion as worded is avoiding a crucial component,
> and that is, who are the vendors involved, and who "owns" the right to
> validate the authenticity of a cert.
>
> The dysfunction in the current cert ecosystem is well-known, so I am not
> naively suggesting that there is a simple fix. However, it is important to
> know, as a dot-org representing FOSS, who cert authority is being purchased
> from, and what that means.
>
>
>
>   best regards from Berkeley, California
>
>   Brian M Hamlin
>
>
>
>
> On Thu, 15 Oct 2015 09:11:48 -0700, Jody Garnett <jody.garnett at gmail.com>
> wrote:
>
> Today's board meeting had the following agenda topic:
>
>
>>
>>    - discuss possibility of OSGeo software signing certificates [Anita]
>>    (i.e. OSX seems to not allow installation of unsigned software by default
>>    --> user needs to change configuration --> signed software would appear
>>    more professional. On the QGIS mailing list, we were discussing that we
>>    could have a QGIS.org certificate but since QGIS depends on so many other
>>    OSGeo tools - which would also have to be signed - it might be more
>>    appropriate to have an OSGeo certificate.)
>>
>>
> Moving discussion here to the mailing list, and will make the motion
> tomorrow.
>
> As this is the OSGeo board mailing list I would like to keep the technical
> details of signing to a minimum and focus on our role in supporting the
> QGIS project.
>
> We are focused on a very clear question - can OSGeo obtaining a
> certificate for use by OSGeo projects. The cost appears to be nominal (one
> quote <https://www.digicert.com/code-signing/> is $160/yearly).
>
> I view this as an appropriate use of the OSGeo branding and well within
> our capacity as an organization.
> --
> Jody Garnett
>
> ------------------------------
>
> _______________________________________________
> Board mailing list
> Board at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/board
> <http://../hwebmail/services/go.php?url=http%3A%2F%2Flists.osgeo.org%2Fmailman%2Flistinfo%2Fboard>
>
>
>
>
> --
> Brian M Hamlin
> OSGeo California Chapter
> blog.light42.com
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/board/attachments/20151015/47d502c6/attachment.htm>