Re: RFC: raising ca-certificates package Priority to standard or important

[Steve McIntyre <steve@einval.com>]

Hey Julien,

On Fri, Jan 22, 2021 at 12:00:56PM +0100, Julien Cristau wrote:
>On Thu, Jan 21, 2021 at 02:47:25PM -0300, Antonio Terceiro wrote:
>> On Thu, Jan 21, 2021 at 03:10:47PM +0100, Julien Cristau wrote:
>> > And which of standard or important made most sense (AIUI, standard
>> > means "installed by default in d-i" and important means "installed by
>> > default in debootstrap").
>> 
>> wget is already Priority: standard and recommends ca-certificates, so it
>> seems to me that making it standard would be a noop in practice for most
>> of the systems installed by d-i.
>> 
>> On the other hand, all cases that I remember seeing a problem caused by
>> missing ca-certificates was in systems not installed by d-i, such as
>> containers, vm images, etc. Based on that, I would make it important.
>
>Here's my thinking on this:
>I would expect "standard" to get installed on "general purpose" VM
>images, and "important" *not* to get installed on "minimal" container or
>VM images.  Looking at the docker debian image build script just now[1],
>it seems to pull in required packages + iproute2 and ping, so it has its
>own selection that doesn't include "important" priority.  So changing
>the severity, by itself, won't change anything unless we go all the way
>to "required" which feels like it'd be going too far (but then I also
>don't think apt should be "required").
>If there are specific examples where you think "important" would help
>I'd be interested; right now I'm sort of favouring "standard" as good
>enough.

Sounds like good logic to me.

Thanks for looking into this!

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
Can't keep my eyes from the circling sky,
Tongue-tied & twisted, Just an earth-bound misfit, I...