[Board] OSGeo signing certificates (discussion)

Jody Garnett jody.garnett at gmail.com
Sat Oct 17 10:35:03 PDT 2015


Going to take up Maxi's comment here:

Because i didn't had the chanche to deeper dig into this, and ideally i
> don't like a system asking to pay for installing a free software.


It may be a small distinction, but we are not asking users to pay for
installing free software. Instead we are paying for a certificate
identifying our organization (i.e. OSGeo) and we are going to use this
certificate to "authenticate" a software download as being produced by our
community, rather then say another vendor. It is these kind of costs that
operate as a barrier to our open source software, and being in position to
open these doors is a way we can provide value as a Foundation.

Personally I am not sure if I like it or not, but I recognize it as
something that needs to be done.

I think we could (in the future) ask the FSF could act as a signing
authority and give us a certificate etc... but I think even in that case we
would like to give them a donation for the trouble/service. Doing a bit of
research it seems most open source developers take on this cost themselves
or via a software foundation.
--
Jody Garnett

On 15 October 2015 at 09:11, Jody Garnett <jody.garnett at gmail.com> wrote:

> Today's board meeting had the following agenda topic:
>
>
>>    - discuss possibility of OSGeo software signing certificates [Anita]
>>    (i.e. OSX seems to not allow installation of unsigned software by default
>>    --> user needs to change configuration --> signed software would appear
>>    more professional. On the QGIS mailing list, we were discussing that we
>>    could have a QGIS.org certificate but since QGIS depends on so many other
>>    OSGeo tools - which would also have to be signed - it might be more
>>    appropriate to have an OSGeo certificate.)
>>
>>
> Moving discussion here to the mailing list, and will make the motion
> tomorrow.
>
> As this is the OSGeo board mailing list I would like to keep the technical
> details of signing to a minimum and focus on our role in supporting the
> QGIS project.
>
> We are focused on a very clear question - can OSGeo obtaining a
> certificate for use by OSGeo projects. The cost appears to be nominal (one
> quote <https://www.digicert.com/code-signing/> is $160/yearly).
>
> I view this as an appropriate use of the OSGeo branding and well within
> our capacity as an organization.
> --
> Jody Garnett
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/board/attachments/20151017/20722f43/attachment.html>


More information about the Board mailing list