[Board] OSGeo signing certificates (discussion)

Jody Garnett jody.garnett at gmail.com
Sat Oct 17 12:34:40 PDT 2015


Thanks for the clarifications Tim/Brian.

My example of FSF was a poor one, I am not aware of any group wishing to
act as a certification authority for open source projects.

--
Jody Garnett

On 17 October 2015 at 10:35, Jody Garnett <jody.garnett at gmail.com> wrote:

> Going to take up Maxi's comment here:
>
> Because i didn't had the chanche to deeper dig into this, and ideally i
>> don't like a system asking to pay for installing a free software.
>
>
> It may be a small distinction, but we are not asking users to pay for
> installing free software. Instead we are paying for a certificate
> identifying our organization (i.e. OSGeo) and we are going to use this
> certificate to "authenticate" a software download as being produced by our
> community, rather then say another vendor. It is these kind of costs that
> operate as a barrier to our open source software, and being in position to
> open these doors is a way we can provide value as a Foundation.
>
> Personally I am not sure if I like it or not, but I recognize it as
> something that needs to be done.
>
> I think we could (in the future) ask the FSF could act as a signing
> authority and give us a certificate etc... but I think even in that case we
> would like to give them a donation for the trouble/service. Doing a bit of
> research it seems most open source developers take on this cost themselves
> or via a software foundation.
> --
> Jody Garnett
>
> On 15 October 2015 at 09:11, Jody Garnett <jody.garnett at gmail.com> wrote:
>
>> Today's board meeting had the following agenda topic:
>>
>>
>>>    - discuss possibility of OSGeo software signing certificates [Anita]
>>>    (i.e. OSX seems to not allow installation of unsigned software by default
>>>    --> user needs to change configuration --> signed software would appear
>>>    more professional. On the QGIS mailing list, we were discussing that we
>>>    could have a QGIS.org certificate but since QGIS depends on so many other
>>>    OSGeo tools - which would also have to be signed - it might be more
>>>    appropriate to have an OSGeo certificate.)
>>>
>>>
>> Moving discussion here to the mailing list, and will make the motion
>> tomorrow.
>>
>> As this is the OSGeo board mailing list I would like to keep the
>> technical details of signing to a minimum and focus on our role in
>> supporting the QGIS project.
>>
>> We are focused on a very clear question - can OSGeo obtaining a
>> certificate for use by OSGeo projects. The cost appears to be nominal (one
>> quote <https://www.digicert.com/code-signing/> is $160/yearly).
>>
>> I view this as an appropriate use of the OSGeo branding and well within
>> our capacity as an organization.
>> --
>> Jody Garnett
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/board/attachments/20151017/4c52338c/attachment.htm>


More information about the Board mailing list