Ubuntu
firefox package

Bug #28048
Comment #211

Comment 211 for bug 28048

Revision history for this message

In Mozilla Bugzilla #215243, David-gigawatt (david-gigawatt) wrote on 2007-04-27:

#211

Rich Freeman <email address hidden> wrote:
>
> It just seems like as an organization we [The Mozilla Foundation]
> should be trying to foster open source projects.

Whoa, there. I'd just like to point out that CaCert is not an open source project in any sense of the term. It uses open source software *internally* to provide a free (as in beer) service, but CaCert distributes no free (as in *freedom*) software, and no software that could even remotely be considered open source. Just the opposite in fact, see the license here, on their site: http://www.cacert.org/src-lic.php

It clearly states that you:
  1. may NOT modify the source code [...]
  2. may NOT make copies of the source code [...]
  3. may NOT give, sell, loan, distribute, or transfer the source code files
     to anyone else, an, my favorite:
  4. may NOT use [CaCert] software created for any purpose or reason other than verifying that there are no unknown vulnerabilities or the like or otherwise making your own assessment of the integrity of the source code and the security features of the CaCert software

Furthermore, below it goes on: "All rights not expressly granted to you [editorial comment: which would be "none"] in these license terms are reserved by CAcert. CaCert retains ownership of all copyrights and other intellectual property rights throughout the world in the CAcert source code and software. You agree that CAcert will be given a perpetual non-exclusive rights to any and all derived code, and you hereby assign rights in any modifications you make to the source code and in any bug reports you submit to CAcert."

This just may be the single most disgusting and ill-advised hybrid software license I have ever read. The author apparently seeks to keep the software 100% proprietary, guarding it from "competitors", and protecting potential future licensing revenue, while simultaneously benefiting from the efforts the open source developer community to fix its bugs, and attest that it is not malware, for free.

Although I wrote an impassioned comment (#12 above, of 161 so far!)
https://bugzilla.mozilla.org/show_bug.cgi?id=215243#c12 in *support* of CaCaert, uh, 4 years ago now, and was a CaCert user and Assurer, I discontinued my involvement because the source code was released by the founder only months later, after much prompting and delay, and when it was finally unveiled, these onerous licensing restrictions were "slipped in" with zero community discussion.

When I asked why the code was not made open source, the founder described his perceived threat that if it was made open source, then other free CA's would start popping up out of nowhere to run our code and to compete with CaCert and he felt that this would decrease CaCert's chances of getting its root cert into Mozilla, and then IE.

This seemed a paranoid and protectionist attitude and I've no longer participated in the Assurer program or the CaCert community since, though I have monitored the mailing lists. After the founder's recently announced resignation, perhaps the new board of directors (or whatever governing body structure they adopt) will revisit this anti-competitive, closed source position.

I had though a free CA would be a good thing, and if one is good, then two is better, and hundred would be fantastic! So if they all *do* pop up, and share code and development effort, I believe that all will benefit and perhaps, someday, all will be accepted by all the browsers, and Verisign and the small number of others who dominate and control the Industry of Trust will no longer be able to levy their "security tax" on every ecommerce transaction on the internet. SSL and WiFi encryption are made possible by open source software and public key encryption which came from the grass-roots volunteer development efforts of developers who believed the decision of who to trust belongs with the user, not the government and certainly not, uh large multinational corporations.

So I still believe that CaCert's root certificate should ship with Mozilla, because I belive that users, given the choice, users would choose to trust the network of well-intentioned volunteers that make up CaCert over Verisign and GE any day. And if The Mozilla Foundation does not institute SOME policy by which a grassroots volunteer CA such as CaCert can be considered as trustworthy as a fly-by-night company whose only purpose is to make a buck by investing $50,000 to get in on a piece of Trust Tax, then Mozilla is sending the message to its users, to the public, that only companies and governements ought to have the keys to the public's trust.

-dave

"Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats." --Howard Aitken <http://en.wikipedia.org/wiki/Howard_Aiken>

Rich Freeman <rich@thefreemanclan.net> wrote:
> 
> It just seems like as an organization we [The Mozilla Foundation]
> should be trying to foster open source projects.

Whoa, there. I'd just like to point out that CaCert is not an open source project in any sense of the term.  It uses open source software *internally* to provide a free (as in beer) service, but CaCert distributes no free (as in *freedom*) software, and no software that could even remotely be considered open source.  Just the opposite in fact, see the license here, on their site: http://www.cacert.org/src-lic.php

It clearly states that you: 
  1. may NOT modify the source code [...] 
  2. may NOT make copies of the source code [...]
  3. may NOT give, sell, loan, distribute, or transfer the source code files 
     to anyone else, an, my favorite:
  4. may NOT use [CaCert] software created for any purpose or reason other than verifying that there are no unknown vulnerabilities or the like or otherwise making your own assessment of the integrity of the source code and the security features of the CaCert software

Furthermore, below it goes on: "All rights not expressly granted to you [editorial comment: which would be "none"] in these license terms are reserved by CAcert.  CaCert retains ownership of all copyrights and other intellectual property rights throughout the world in the CAcert source code and software. You agree that CAcert will be given a perpetual non-exclusive rights to any and all derived code, and you hereby assign rights in any modifications you make to the source code and in any bug reports you submit to CAcert."

This just may be the single most disgusting and ill-advised hybrid software license I have ever read.  The author apparently seeks to keep the software 100% proprietary, guarding it from "competitors", and protecting potential future licensing revenue, while simultaneously benefiting from the efforts the open source developer community to fix its bugs, and attest that it is not malware, for free.

This seemed a paranoid and protectionist attitude and I've no longer participated in the Assurer program or the CaCert community since, though I have monitored the mailing lists.  After the founder's recently announced resignation, perhaps the new board of directors (or whatever governing body structure they adopt) will revisit this anti-competitive, closed source position.

I had though a free CA would be a good thing, and if one is good, then two is better, and hundred would be fantastic!  So if they all *do* pop up, and share code and development effort, I believe that all will benefit and perhaps, someday, all will be accepted by all the browsers, and Verisign and the small number of others who dominate and control the Industry of Trust will no longer be able to levy their "security tax" on every ecommerce transaction on the internet.  SSL and WiFi encryption are made possible by open source software and public key encryption which came from the grass-roots volunteer development efforts of developers who believed the decision of who to trust belongs with the user, not the government and certainly not, uh large multinational corporations.

So I still believe that CaCert's root certificate should ship with Mozilla, because I belive that users, given the choice, users would choose to trust the network of well-intentioned volunteers that make up CaCert over Verisign and GE any day.  And if The Mozilla Foundation does not institute SOME policy by which a grassroots volunteer CA such as CaCert can be considered as trustworthy as a fly-by-night company whose only purpose is to make a buck by investing $50,000 to get in on a piece of Trust Tax, then Mozilla is sending the message to its users, to the public, that only companies and governements ought to have the keys to the public's trust.

-dave

"Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats." --Howard Aitken <http://en.wikipedia.org/wiki/Howard_Aiken>

Ubuntufirefox package

Comment 211 for bug 28048

Ubuntu
firefox package