On 11/23/2016 06:43 PM, Kurt Roeckx wrote: > On Wed, Nov 23, 2016 at 05:20:15PM +0100, Philipp Kern wrote: >> when trying to add HTTPS support to the installer I noticed that openssl >> seems to read /usr/lib/ssl/certs by default, rather than /etc/ssl/certs. >> In Debian proper openssl (the binary package of the CLI) ships this as a >> symlink to /etc/ssl/certs. Do you have a preference of where this >> symlink should live in the installer environment? Should it be >> libssl1.1-udeb or ca-certificates-udeb (which does not exist yet, I just >> filed a bug with a patch to create it)? > That makes me wonder what happens when the openssl binary isn't installed > on other systems. Does it fail to find it's certificate store? I wondered the same thing. Unfortunately ca-certificates actually depends on openssl (for c_rehash), so if you have the certs, then you will have the symlink. > But I guess adding that to the libssl / libcrypto package makes it > more complicated to upgrade after an soname change. I wonder if I > should change the default instead. Well, AFAICS it might also use the /usr/lib/ssl/openssl.cnf to /etc/ssl/openssl.cnf symlink. I thought initially that for the udeb it might not matter much if it's in libssl* but you are right, it would be cleaner not to have it there. > ca-certificates could also always ship it ... Yeah, except when it triggers a file conflict because people did not coordinate it. ;-) For the -udeb that's certainly true because we control the bits more tightly there. So I shall add it to the udeb patch then. Thanks! Kind regards Philipp Kern
Attachment:
signature.asc
Description: OpenPGP digital signature