Re: ca-certificates symlinks out of /etc
On Thu, Nov 02, 2006 at 12:01:12PM +0100, martin f krafft wrote:
> Anyway, thanks for the discussion. I don't think I heard a single
> argument for using symlinks, other than to save 440k of space in
> /etc.
Symlinks just make _sense_. It's the idiocy of other OSes to duplicate
data because they have no proper notion of symlinks. I always hate
arguments like this to "make things worse for people who know UNIX
because there are some dumb users who don't".
So, here is a constructive solution for those who do not like symlinks
in /etc:
- Rebuild OpenSSL with X509_CERT_DIR in crypto/cryptlib.h defined as
"/etc/ssl/certs:/var/ssl/certs". I did not test it, but looking at the
OpenSSL sources It Should Just Work.
- Change ca-certificates to create the symlinks in /var/ssl/certs
instead in /etc/ssl/certs, and make it clear that the user should not
manually alter the contents of /var/ssl/certs or else he/she should
keep both pieces when something breaks.
- Declare /etc/ssl/certs to be the playground of the local sysadmin. No
package should touch anything inside it.
That gives you the best of both wolds with minimal efforts.
Gabor
--
---------------------------------------------------------
MTA SZTAKI Computer and Automation Research Institute
Hungarian Academy of Sciences
---------------------------------------------------------
Reply to: