Last year Larry as part of QGIS and Boundless, proposed to create a
single signed QGIS installer to make it easier to install QGIS on MacOSx
(see [0] and [1].
In [2] Jody says there was a motion to buy those 'code-signing
certificates' for general use of Osgeo projects.
Now that 2.14 (an Long Term Release version) is released the plan is to
actually create this signed installer by Larry, sponsored in time by his
employer. In a recent private msg Larry proposes these [3] certificates.
So Question: who should (and can) buy and put these certs in a safe, and
make it possible for Larry to get one and create an installer?
On Wed, Mar 23, 2016 at 6:47 AM, Jürgen E. <jef@norbit.de> wrote:
Hi Richard,
On Wed, 23. Mar 2016 at 08:59:29 +0100, Richard Duivenvoorde wrote:
> So Question: who should (and can) buy and put these certs in a safe, and
> make it possible for Larry to get one and create an installer?
Not sure if Larry meanwhile joined SAC and if there was any progress
on this already...
Apologizes, as my work took me far away from this for quite some time. I
have not joined SAC and I believe no action has taken place to procure any
certificates. I will have time starting in April to work on setting up
scripts for signing QGIS installers (at least for Mac).
There is money authorized, for at least two certs for 3 years. How OSGeo
projects can share them (if possible) is a technical/policy question that
needs answered.
Regards,
Larry Shaffer
Dakota Cartography
Black Hills, South Dakota
I can work on this some starting now, but will have even more time after FOSS4G-NA (after May 9th). Who is the ‘go to’ on the SAC that can spearhead procuring code-signing certificates with the money already allocated?
I have done some more research. From what I have found, Apple requires that the signing certificate for passing Mac Gatekeeper policies be an Apple CA-signed certificate that has been generated from a CSR of only a valid Apple Developer ID [0]. The code can be signed with a third-party certificate (still securing the app against tampering), but such a signing will NOT pass Gatekeeper, i.e. purchasing a non-Apple code-signing certificate will be a wasted purchase for Mac distributions.
This means for code-signing Mac OSGeo applications an Apple Developer account is required. However, there are several options now [1]: Free, Individual, Organization or Enterprise. I recommend the OSGeo create an Organization-level ($99/year) account at Apple and set up ‘teams’ for all OSGeo projects wishing to distribute Mac apps/installers. I can help with this, as I have gone through this process for Boundless, for the code-signing of our Mac apps/installers.
If the SAC feels this is not appropriate for them to manage, maybe just the QGIS project (pilot project for this) can set up the Apple account instead.
A more general code-signing cert can be used for Windows apps/installers. More research needs done here, as a less expensive solution for the certificate may be useable.
Not sure if Larry meanwhile joined SAC and if there was any progress
on this already…
Apologizes, as my work took me far away from this for quite some time. I have not joined SAC and I believe no action has taken place to procure any certificates. I will have time starting in April to work on setting up scripts for signing QGIS installers (at least for Mac).
There is money authorized, for at least two certs for 3 years. How OSGeo projects can share them (if possible) is a technical/policy question that needs answered.
Larry Shaffer
Dakota Cartography
Black Hills, South Dakota
Not sure if Larry meanwhile joined SAC and if there was any progress
on this already...
Apologizes, as my work took me far away from this for quite some time. I
have not joined SAC and I believe no action has taken place to procure any
certificates. I will have time starting in April to work on setting up
scripts for signing QGIS installers (at least for Mac).
I can work on this some starting now, but will have even more time after
FOSS4G-NA (after May 9th). Who is the 'go to' on the SAC that can spearhead
procuring code-signing certificates with the money already allocated?
I have done some more research. From what I have found, Apple *requires*
that the signing certificate for passing Mac Gatekeeper policies be an
Apple CA-signed certificate that has been generated from a CSR of only a
valid Apple Developer ID [0]. The code can be signed with a third-party
certificate (still securing the app against tampering), but such a signing
will NOT pass Gatekeeper, i.e. purchasing a non-Apple code-signing
certificate will be a wasted purchase for Mac distributions.
This means for code-signing Mac OSGeo applications an Apple Developer
account is required. However, there are several options now [1]: Free,
Individual, Organization or Enterprise. I recommend the OSGeo create an
Organization-level ($99/year) account at Apple and set up 'teams' for all
OSGeo projects wishing to distribute Mac apps/installers. I can help with
this, as I have gone through this process for Boundless, for the
code-signing of our Mac apps/installers.
If the SAC feels this is not appropriate for them to manage, maybe just the
QGIS project (pilot project for this) can set up the Apple account instead.
A more general code-signing cert can be used for Windows apps/installers.
More research needs done here, as a less expensive solution for the
certificate may be useable.
There is money authorized, for at least two certs for 3 years. How OSGeo
projects can share them (if possible) is a technical/policy question that
needs answered.
See above. I recommend earmarking at least 3 X $99/year for an Apple
Organization-level Developer ID account.
Regards,
Larry Shaffer
Dakota Cartography
Black Hills, South Dakota
I'd say if more than QGIS wants to use this then OSGeo should be the
registered org. Larry, you would be the main point of contact with
Apple. The treasurer of the board handles the money part.
Am I correct in thinking this cert needs to be utilized on a Mac? Seems
coordinating with William (kyngchaos) on the actual implementation would
make sense.
Perhaps we would store the credentials on the secure VM, as a backup?
Are these certs passphrase protected typically? Or can we opt to use
some of the osgeo admin ssh keys to unlock them?
On Tue, Apr 19, 2016 at 03:59:31PM -0600, Larry Shaffer wrote:
I have done some more research. From what I have found, Apple *requires*
that the signing certificate for passing Mac Gatekeeper policies be an
Apple CA-signed certificate that has been generated from a CSR of only a
valid Apple Developer ID [0]. The code can be signed with a third-party
certificate (still securing the app against tampering), but such a signing
will NOT pass Gatekeeper, i.e. purchasing a non-Apple code-signing
certificate will be a wasted purchase for Mac distributions.
Could OSGeo take an official position against this reduction of user
freedom when it comes to running an Apple system, and provide hints
to take back ownership of owned machines ?
Such mechanisms are a huge obstacle for the spread of open source
software, beacuse even if OSGeo pays the tax the user won't be
able to use the sources, unless she knows how to circumvent the
"Gatekeeper" monster.
Would it be possible, for example, to encode this knolwedge inside
the eventually acquired ceritification itself, or into the signed
binary in form of a popup to warn users about the matter ?
And, as I suggested in another thread, _require_ the payment of a fee
for _downloading_ a signed binary ? The user would then be challenged
to either pay to keep using Gatekeeper or learn to kill it...
Could OSGeo take an official position against this reduction of user
freedom when it comes to running an Apple system, and provide hints
to take back ownership of owned machines ?
Hi Sandro,
How would you see this 'official position'?
An article on the osgeo.org frontpage?
I'm with you that I would be more happy if everybody ran Debian Linux!
Reality is that there are a lot of (Q)GIS Mac users, AND there are FOSS
people wanting to put energy in it to Mac packaging etc. Then at least
let the FOSS experience be a good experience and package it as easy as
possible for them.
And, as I suggested in another thread, _require_ the payment of a fee
for _downloading_ a signed binary ? The user would then be challenged
to either pay to keep using Gatekeeper or learn to kill it...
Well, personally I think that is a good idea: we can make two downloads:
- 10 dollar for signed installer
- free one (plus docs how to install!) for the unsigned one
( though we need two package processes then )
I'll put it on the agenda for next PSC meeting to discuss this
On Wed, Apr 20, 2016 at 08:43:51AM +0200, Richard Duivenvoorde wrote:
On 20-04-16 07:55, Sandro Santilli wrote:
> Could OSGeo take an official position against this reduction of user
> freedom when it comes to running an Apple system, and provide hints
> to take back ownership of owned machines ?
Hi Sandro,
How would you see this 'official position'?
An article on the osgeo.org frontpage?
Doesn't necessarely need to be on the frontpage, but
somewhere on the webpage, an article about what code signing
is, what does it mean for free software, how user can (or cannot)
determine who they trust and how to (once available) set OSGeo as
a trusted source.
> And, as I suggested in another thread, _require_ the payment of a fee
> for _downloading_ a signed binary ? The user would then be challenged
> to either pay to keep using Gatekeeper or learn to kill it...
Well, personally I think that is a good idea: we can make two downloads:
- 10 dollar for signed installer
- free one (plus docs how to install!) for the unsigned one
( though we need two package processes then )
I'll put it on the agenda for next PSC meeting to discuss this
Not sure if Larry meanwhile joined SAC and if there was any progress
on this already…
Apologizes, as my work took me far away from this for quite some time. I
have not joined SAC and I believe no action has taken place to procure any
certificates. I will have time starting in April to work on setting up
scripts for signing QGIS installers (at least for Mac).
I can work on this some starting now, but will have even more time after
FOSS4G-NA (after May 9th). Who is the ‘go to’ on the SAC that can spearhead
procuring code-signing certificates with the money already allocated?
I have done some more research. From what I have found, Apple requires
that the signing certificate for passing Mac Gatekeeper policies be an
Apple CA-signed certificate that has been generated from a CSR of only a
valid Apple Developer ID [0]. The code can be signed with a third-party
certificate (still securing the app against tampering), but such a signing
will NOT pass Gatekeeper, i.e. purchasing a non-Apple code-signing
certificate will be a wasted purchase for Mac distributions.
This means for code-signing Mac OSGeo applications an Apple Developer
account is required. However, there are several options now [1]: Free,
Individual, Organization or Enterprise. I recommend the OSGeo create an
Organization-level ($99/year) account at Apple and set up ‘teams’ for all
OSGeo projects wishing to distribute Mac apps/installers. I can help with
this, as I have gone through this process for Boundless, for the
code-signing of our Mac apps/installers.
If the SAC feels this is not appropriate for them to manage, maybe just the
QGIS project (pilot project for this) can set up the Apple account instead.
A more general code-signing cert can be used for Windows apps/installers.
More research needs done here, as a less expensive solution for the
certificate may be useable.
There is money authorized, for at least two certs for 3 years. How OSGeo
projects can share them (if possible) is a technical/policy question that
needs answered.
See above. I recommend earmarking at least 3 X $99/year for an Apple
Organization-level Developer ID account.
Regards,
Larry Shaffer
Dakota Cartography
Black Hills, South Dakota
I’d say if more than QGIS wants to use this then OSGeo should be the
registered org. Larry, you would be the main point of contact with
Apple. The treasurer of the board handles the money part.
Yes, I can do that. However, there is a Free account now, but it will lack a Developer ID. So, from what I understand, the code will be signed, but the OSGeo or QGIS project would not be indicated as the software’s provenance.
Am I correct in thinking this cert needs to be utilized on a Mac? Seems
coordinating with William (kyngchaos) on the actual implementation would
make sense.
The Apple cert for Mac, yes. A generic code-signing cert is more flexible and would be useful for signing Windows installer package installers, e.g. OSGeo4W or standalone QGIS. Currently on Windows, the default is not to block non-signed, unidentified installers/programs, but this will likely change.
Perhaps we would store the credentials on the secure VM, as a backup?
Whatever works. At some point devs who package installers would need to be trusted, since they need the private CSR key to do the actual signing. If a cert/key is found to be misused, an admin can revoke the cert, as per usual with PKI.
Are these certs passphrase protected typically? Or can we opt to use
some of the osgeo admin ssh keys to unlock them?
They work like a regular PKI cert and chain, just particular use for code-signing, i.e. the private key (used during code signing) can be encrypted. It is usually stored in the Mac Keychain, along with any CA signing chain.
If the OSGeo is considering taking the following stances…
referring to the industry standard practice of code-signing, which protects the user from anyone tampering with software they are installing or have installed, as something that needs a workaround;
that the default security practices and implementations on major OSes is somehow evil to their users, and that the users need protected from such losses of freedom;
that the OSGeo needs to train users on how to circumvent these default security protections;
then an anti-reality warp is in effect, which will only hurt users who actually just want to use the open-source software.
If that is indeed the case, I will personally pay this ‘tax’ on behalf of Mac QGIS users’ peace of mind (note, I already do). Or, maybe its just not worth the cost and effort of trying to effect real change against proprietary geospatial software here in the US until all desktop users switch to Linux.
On Wed, Apr 20, 2016 at 3:58 AM, Sandro Santilli <strk@keybit.net> wrote:
On Wed, Apr 20, 2016 at 08:43:51AM +0200, Richard Duivenvoorde wrote:
On 20-04-16 07:55, Sandro Santilli wrote:
Could OSGeo take an official position against this reduction of user
freedom when it comes to running an Apple system, and provide hints
to take back ownership of owned machines ?
Hi Sandro,
How would you see this ‘official position’?
An article on the osgeo.org frontpage?
Doesn’t necessarely need to be on the frontpage, but
somewhere on the webpage, an article about what code signing
is, what does it mean for free software, how user can (or cannot)
determine who they trust and how to (once available) set OSGeo as
a trusted source.
And, as I suggested in another thread, require the payment of a fee
for downloading a signed binary ? The user would then be challenged
to either pay to keep using Gatekeeper or learn to kill it…
Well, personally I think that is a good idea: we can make two downloads:
10 dollar for signed installer
free one (plus docs how to install!) for the unsigned one
( though we need two package processes then )
I’ll put it on the agenda for next PSC meeting to discuss this
Thanks!
–strk;
Larry Shaffer
Dakota Cartography
Black Hills, South Dakota
On Wed, Apr 20, 2016 at 04:39:03AM -0600, Larry Shaffer wrote:
Hi,
If the OSGeo is considering taking the following stances...
Larry, it looks like you misunderstood my stances completely.
* referring to the industry standard practice of code-signing, which
protects the user from anyone tampering with software they are installing
or have installed, as something that needs a workaround;
I've nothing against code-signing, but I think the user needs to be
able to decide who to trust.
* that the default security practices and implementations on major OSes is
somehow evil to their users, and that the users need protected from such
losses of freedom;
It is evil if an OS enforces what's good or bad to a user.
Not evil if the user decides who to trust.
* that the OSGeo needs to train users on how to circumvent these default
security protections;
OSGeo needs to train users on how to tell their OS to trust OSGeo,
then an anti-reality warp is in effect, which will only hurt users who
actually just want to use the open-source software.
Users that just want to use open-source software should be able to
do so w/out their OS fighting against that. If any OS is fighting,
OS advocates should fight back.
On Wed, Apr 20, 2016 at 04:39:03AM -0600, Larry Shaffer wrote:
Hi,
If the OSGeo is considering taking the following stances...
Larry, it looks like you misunderstood my stances completely.
* referring to the industry standard practice of code-signing, which
protects the user from anyone tampering with software they are installing
or have installed, as something that needs a workaround;
I've nothing against code-signing, but I think the user needs to be
able to decide who to trust.
* that the default security practices and implementations on major OSes is
somehow evil to their users, and that the users need protected from such
losses of freedom;
It is evil if an OS enforces what's good or bad to a user.
Not evil if the user decides who to trust.
* that the OSGeo needs to train users on how to circumvent these default
security protections;
OSGeo needs to train users on how to tell their OS to trust OSGeo,
then an anti-reality warp is in effect, which will only hurt users who
actually just want to use the open-source software.
Users that just want to use open-source software should be able to
do so w/out their OS fighting against that. If any OS is fighting,
OS advocates should fight back.
On Wed, Apr 20, 2016 at 04:23:58PM +0100, Jonathan Moules wrote:
That said, I don't know what the solution is, but I do know that
relying on user awareness is a recipe for the botnet filled internet we
have today.
I'm not talking about "relying on" but about "raising" the user
awareness. Hiding the problem of having put trust in the sole hands
of the OS provider doesn't help with that.
I see how this trust chain harms availability of software in the
smartphone world. Most services only ship their code via the "official
store". No easy way to get a direct link to an .apk package directly
from the authors. Most software _writers_ solely rely on the device
store, forcing users to _register_ (and give their personal data) to
the store owner, and even accepting to _pay_ for that disservice.
The only advantage here goes to the "land" lords, whereas the "land"
is the hardware we think to _buy_, as user, but in fact are just
_renting_.
REMINDER: I'm not against buying those certificates, but I would
consider it an investiment in an information campaign.
On Wed, Apr 20, 2016 at 4:54 AM, Sandro Santilli <strk@keybit.net> wrote:
On Wed, Apr 20, 2016 at 04:39:03AM -0600, Larry Shaffer wrote:
Hi,
If the OSGeo is considering taking the following stances…
Larry, it looks like you misunderstood my stances completely.
referring to the industry standard practice of code-signing, which
protects the user from anyone tampering with software they are installing
or have installed, as something that needs a workaround;
I’ve nothing against code-signing, but I think the user needs to be
able to decide who to trust.
that the default security practices and implementations on major OSes is
somehow evil to their users, and that the users need protected from such
losses of freedom;
It is evil if an OS enforces what’s good or bad to a user.
Not evil if the user decides who to trust.
that the OSGeo needs to train users on how to circumvent these default
security protections;
OSGeo needs to train users on how to tell their OS to trust OSGeo,
then an anti-reality warp is in effect, which will only hurt users who
actually just want to use the open-source software.
Users that just want to use open-source software should be able to
do so w/out their OS fighting against that. If any OS is fighting,
OS advocates should fight back.
You bring up some good points here, but unfortunately none of that is plausible, with regards to Mac applications/installers that need to have a user verify their provenance.
Here are the facts:
Current situation is totally broken. When a Mac user installs anything not code-signed, by default, they are prompted that it can not be installed at all, unless the user turns OFF default security settings. So, there is no decision of trust here for most users. Most will simply not install the software because it looks as though they should NOT trust the developers.
Apple IS a trusted Certificate Authority in this instance. The web of trust must end somewhere. If not with the developer of the OS itself, then who? You would be hard pressed to find a regular Mac user willing to install any other Certificate Authority for a code-signing trust chain.
Apple requires control over signing developers certificates. Their ‘walled garden’ approach is both a bane and boon for iOS; and they are pushing for the same on Mac OS X (to a certain extent). As such, we as developers can not ask users to place their trust elsewhere, like with a self-signed OSGeo or standard root Certificate Authority. It is just not, nor will it be in the foreseeable future, a technical possibility on Mac OS X.
Asking users to do anything to bypass the default security settings on Mac completely misplaces their decision of trust away from our developers. Any developer of standard release desktop software that asks users to bypass security to use their software is immediately susceptible to lack of trust.
Linux users generally don’t care much about Mac users’ woes. Fair enough, but many of us not only care but also want FOSS4G software to flourish there. It is a stable and evermore popular platform.
I wish the Mac code-signing issue were not this way, but it plainly is. Until there is a solution in place we, as packagers, will continue to look untrustworthy if we do nothing or expect users to bypass any security.
Larry Shaffer
Dakota Cartography
Black Hills, South Dakota
On Wed, Apr 20, 2016 at 10:22:36AM -0600, Larry Shaffer wrote:
I wish the Mac code-signing issue were not this way, but it plainly is.
Until there is a solution in place we, as packagers, will continue to look
untrustworthy if we do nothing or expect users to bypass any security.
First of all I'd stop calling it "security".
It's a semantic battle to fight here.
If we cannot ask the user to give OSGeo and/or other free software
actors their _trust_, we shoudl ask the user to pay for the penalty
of leaving their trust in the sole hands of Apple.
The software is free, they can download sources, build binaries from
the sources, but they would not be able to install the sources they
build UNLESS they break out the Apple jail _or_ pay Apple a fee to
do that.
Just let them know about this. Those systems are defective. By design.
Raise a BIG WARNING on installation. Let them know they are running a
broken system.
Obtain their attention by providing an Apple certificate, but then use
that attention wisely.
Let the user know she's being used as a product by Apple,
which sucks money out of those willing to be trusted by her.
Let the user know his's being fooled by Apple, calling
his freedom of choise a "security concern".
On Wed, Apr 20, 2016 at 05:36:58PM +0100, Jonathan Moules wrote:
Hi Sandro
I get what you're saying, and entirely agree with the principle.
But unfortunately the practicalities disagree; compare Android and iphones - Apple has a closed ecosystem and a fraction of the malware that Android has (anything from 3%-20% depending on the report). The primary difference between the platforms is the fact that anyone can install whatever on Android but there's more stringent curation on an Apple. In many cases those files you can access on Android contain Bad Things.
I disagree. Most files I can access on my computer do not contain Bad
Things, as I decide who to trust. I only install software from sources
I trust, those where the software is distributed with a free software
license, that comes with _sources_ I can inspect, which has a
community I can confront with.
On android there's an excellent project to build some trust around
free software binaries: f-droid.org.
Is deciding who to trust a difficult task ? YES.
Is delegating that hard decision to a single provider to be recommended ?
NO, in my opinion. But that's your choice (or is it ?).
Raising user awareness only works to an extent. If users aren't
following basic security awareness already, I'm not sure an OSGEO\QGIS
campaign would achieve much.
Not only the battle you're sure to win are worth fighting
OK, just like last time I brought this up, this has devolved into more lovely Apple bashing.
Who here can make a decision on whether any of the money already OK’d by the OSGeo for code-signing certificates can be used for an Apple Developer account for $99/year (for multiple certs)?
···
If the OSGeo is unwilling to fund Apple Developer accounts, I will look into a crowd-funding campaign for the QGIS project to solve the problem. Unless, the QGIS project also does not wish to manage it; in which case I will pay for it myself and share the certificates/keys with William Kyngsburye.
Larry Shaffer
Dakota Cartography
Black Hills, South Dakota
OK, just like last time I brought this up, this has devolved into more
lovely Apple bashing.
Who here can make a decision on whether any of the money already OK'd by
the OSGeo for code-signing certificates can be used for an Apple Developer
account for $99/year (for multiple certs)?
If the OSGeo is unwilling to fund Apple Developer accounts, I will look
into a crowd-funding campaign for the QGIS project to solve the problem.
Unless, the QGIS project also does not wish to manage it; in which case I
will pay for it myself and share the certificates/keys with William
Kyngsburye.
Larry Shaffer
Dakota Cartography
Black Hills, South Dakota
I'll reiterate, if QGIS and any other OSGeo projects feel this is
worthwhile then I support it as a necessary means to helping ensure
users. For me the only question is what other OSGeo projects feel this
is important? Obviously anything William Kyngsburye packages seems like
a candidate.
I wouldn't mind an OSGeo crowd-funding campaign to keep this funded long
term. But really that cost is not outrageous.
For me this question falls under the general principle that OSGeo is
here to support it's member projects. Yes there are limits to what we
can do, but this request seems reasonable. Does someone recall what the
Board said about it? If they approved then really we just need to work
on the technical details of how to implement, not debate implementation.
Any complaints should be addressed at future Board meetings.
On Apr 20, 2016, at 2:13 PM, Alex M <tech_dev@wildintellect.com> wrote:
On 04/20/2016 10:43 AM, Larry Shaffer wrote:
Dear SAC,
OK, just like last time I brought this up, this has devolved into more
lovely Apple bashing.
Who here can make a decision on whether any of the money already OK'd by
the OSGeo for code-signing certificates can be used for an Apple Developer
account for $99/year (for multiple certs)?
If the OSGeo is unwilling to fund Apple Developer accounts, I will look
into a crowd-funding campaign for the QGIS project to solve the problem.
Unless, the QGIS project also does not wish to manage it; in which case I
will pay for it myself and share the certificates/keys with William
Kyngsburye.
Larry Shaffer
Dakota Cartography
Black Hills, South Dakota
I'll reiterate, if QGIS and any other OSGeo projects feel this is
worthwhile then I support it as a necessary means to helping ensure
users. For me the only question is what other OSGeo projects feel this
is important? Obviously anything William Kyngsburye packages seems like
a candidate.
I wouldn't mind an OSGeo crowd-funding campaign to keep this funded long
term. But really that cost is not outrageous.
For me this question falls under the general principle that OSGeo is
here to support it's member projects. Yes there are limits to what we
can do, but this request seems reasonable. Does someone recall what the
Board said about it? If they approved then really we just need to work
on the technical details of how to implement, not debate implementation.
Any complaints should be addressed at future Board meetings.
On Apr 20, 2016, at 2:13 PM, Alex M <tech_dev@wildintellect.com> wrote:
On 04/20/2016 10:43 AM, Larry Shaffer wrote:
Dear SAC,
OK, just like last time I brought this up, this has devolved into more
lovely Apple bashing.
Who here can make a decision on whether any of the money already OK'd by
the OSGeo for code-signing certificates can be used for an Apple Developer
account for $99/year (for multiple certs)?
If the OSGeo is unwilling to fund Apple Developer accounts, I will look
into a crowd-funding campaign for the QGIS project to solve the problem.
Unless, the QGIS project also does not wish to manage it; in which case I
will pay for it myself and share the certificates/keys with William
Kyngsburye.
Larry Shaffer
Dakota Cartography
Black Hills, South Dakota
I'll reiterate, if QGIS and any other OSGeo projects feel this is
worthwhile then I support it as a necessary means to helping ensure
users. For me the only question is what other OSGeo projects feel this
is important? Obviously anything William Kyngsburye packages seems like
a candidate.
I wouldn't mind an OSGeo crowd-funding campaign to keep this funded long
term. But really that cost is not outrageous.
For me this question falls under the general principle that OSGeo is
here to support it's member projects. Yes there are limits to what we
can do, but this request seems reasonable. Does someone recall what the
Board said about it? If they approved then really we just need to work
on the technical details of how to implement, not debate implementation.
Any complaints should be addressed at future Board meetings.
1. Larry please coordinate with the Treasurer Michael Smith, to pay for
the account.
2. Larry please create a wiki page linked to SAC describing the process,
contacts and any other important details.
3. Can someone make sure Larry is in the SAC shell group and get him
access to store the certs and generate csr on the Secure VM?
Larry should we create an organizational email address (alias or list)
to match this so that multiple admins can be in the know.
Only other question is how should we store the various authentication
components that might need to be shared. I've been pondering we need to
improve our current system.
)
)