Hello

Recently Guenter brought his updated script that makes it very easy to get the
most recent set of ca certs extracted from the Mozilla bundle.

         http://curl.haxx.se/lxr/source/lib/mk-ca-bundle.pl

In the mean time, Eddy Nigg polled the mozilla guys about how we should view
the license situation for this file, especially after the extraction we do:

         http://article.gmane.org/gmane.comp.mozilla.crypto/8688

(he hasn't got any replies at the time I write this)

I believe Eddy is also the same guy who then posted his take on the license
situation in the curl bug report #1889593, basically saying that the license
situation is a grey area as it seems undefined and not really bothered about
by the Mozilla org and lots of people and organizations are already doing this
sort of stuff. Thus he suggests we can ship the newer bundle just the same way
we ship the older one:

         http://curl.haxx.se/bug/view.cgi?id=1889593

My take on this:

I think I'm slowly leaning towards providing an updated ca bundle, simply
based on all the facts above. The license situation shouldn't be much
different than with the current bundle we provide, and given that mozilla
knows about this practise and it is done by other parties as well, we won't
introduce something not seen before. The fact that the file is also loaded by
libcurl (not linked into it), should also be "safe" from the view of the
license not really "tainting" libcurl, just that it is a bit dubious on what
the situation is for projects that don't use a license compatible with the
triplet used by Mozilla for certdata.

So, I am interested in getting other people's opinions on this matter to use
as base for a decision on this.

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html