Subject: Re: [pkg-go] Bug#856139: certspotter: long
description advertises commercial service



On Fri, Aug 11, 2017 at 08:03:09AM -0400, Wouter Verhelst wrote:
> If a free software implementation of the remote service exists that a
> package can work with, then it can remain in main. If not, it cannot.

There are no free software server-side implementation of e.g. the ICQ
protocol, as far as I know, but multiple client-side implementations in
main. For that matter, there is no free software server-side
implementation of QUIC, so I guess by that rule, Chromium should be in
contrib as well. Pretty sure that there isn't any kind of consensus for
any of that.

As for certspotter, the conversation has derailed quite a bit -- in part
because Jonas forwarded this to debian-project while stripping almost
the entirety of my reply on the bug, then stripping again all of the
context when days later, he started a new thread from scratch on
debian-devel. Not cool.

To clear things up:
- certspotter is free software, and is used to check Certificate
Transparency logs, notifying the user if any certificates in the wild
have been observed matching a domain of theirs.

- The author of certspotter also runs the SSLMate as a commercial
offering, which hosts a version of certspotter for anyone to use. It's
free for up to 5 domains, then charging for more, for presumably
larger enterprises (but these can still opt to run it themselves,
using certspotter). The SSLMate website, in the menu under "Cert
Spotter", has "Pricing", "API", "Open Source", in that order, with the
latter pointing to the GitHub page of certspotter.

- People called SSLMate "non-free" and objected to the certspotter
description pointing to it. While it is true that it is non-free to
some extent, as the web dashboard and code that glues certspotter to
it isn't free (AFAIK), the most interesting and complicated part of it
(a pretty fle...

xible CT log client) is.

- certspotter does not connect to SSLMate in any way. certspotter
(either the one locally installed, or the one run by SSLMate) connect
to the various CT Logs run by CAs, Google etc. In fact, it connects to
the same CT log servers that Chromium does.

- Certificate Transparency is an IETF protocol (RFC 6962) and is
implemented, as a client, by both Chromium and Firefox. Google has
released a a number of freely licensed client libraries, as well as
their reference implementation of the CT Log server. Even if the
blanket rule that Wouter mentioned existed, certspotter would satisfy
it.

- I don't have any personal or business connection to SSLMate or
certspotter, other than using the software and maintaining the
package. I haven't communicated with my upstream about this issue
either and my comment on the bug report are just my views. I just want
to be fair to a nice upstream, who has graciously released part of
their business as free (as in speech and as in beer) software, for
anyone to use instead of using their service.

I read both of the threads so far (sadly, as most of it was offtopic and
a waste of precious DebCamp/DebConf time) and from all the suggestions,
I really appreciated and valued Chris Lamb's response about dropping the
"requires zero setup" bit. I intend to drop that part on the next
upload, whenever that happens.

Regards,
Faidon



Programming list archiving by: Enterprise Git Hosting