[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Location of the /usr/lib/ssl/certs symlink in the installer environment

On 11/23/2016 06:43 PM, Kurt Roeckx wrote:
> On Wed, Nov 23, 2016 at 05:20:15PM +0100, Philipp Kern wrote:
>> when trying to add HTTPS support to the installer I noticed that openssl
>> seems to read /usr/lib/ssl/certs by default, rather than /etc/ssl/certs.
>> In Debian proper openssl (the binary package of the CLI) ships this as a
>> symlink to /etc/ssl/certs. Do you have a preference of where this
>> symlink should live in the installer environment? Should it be
>> libssl1.1-udeb or ca-certificates-udeb (which does not exist yet, I just
>> filed a bug with a patch to create it)?
> That makes me wonder what happens when the openssl binary isn't installed
> on other systems. Does it fail to find it's certificate store?

I wondered the same thing. Unfortunately ca-certificates actually
depends on openssl (for c_rehash), so if you have the certs, then you
will have the symlink.

> But I guess adding that to the libssl / libcrypto package makes it
> more complicated to upgrade after an soname change.  I wonder if I
> should change the default instead.

Well, AFAICS it might also use the /usr/lib/ssl/openssl.cnf to
/etc/ssl/openssl.cnf symlink. I thought initially that for the udeb it
might not matter much if it's in libssl* but you are right, it would be
cleaner not to have it there.

> ca-certificates could also always ship it ...

Yeah, except when it triggers a file conflict because people did not
coordinate it. ;-)

For the -udeb that's certainly true because we control the bits more
tightly there. So I shall add it to the udeb patch then. Thanks!

Kind regards
Philipp Kern

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: