[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ca-certificates symlinks out of /etc

* martin f krafft (madduck@debian.org) wrote:
> also sprach Stephen Frost <sfrost@snowman.net> [2006.10.31.2103 +0100]:
> > > How are certificate files not intended to be modified? If they
> > > expire? If they are incomplete?
> > 
> > If they expire then they should be updated by the package.
> The problem with ca-certificate is that it follows policies which
> I don't fully agree with. CAcert's level 3 certificate is not
> included because CAcert has not been audited -- that process by
> itself just smells commercial to me.

I don't see this as relevant to the debate about using symlinks in /etc.

> The package allows the user to cherry-pick the certificates to
> enable anyway; why preselect?

Because it's much more common for users to want at least some set of
certificates enabled on installation.

> > file, if you mean that some certificates are missing, then you're
> > certainly free to add those into that directory as regular files,
> > or to ask for inclusion of them in the package).
> I don't want to maintain local certificates across the dozens of
> machines on which I need them. And the package maintainer doesn't
> seem too cooperative. See e.g. #352248 which has not received a note
> yet.

What certificates are included and why sounds like an issue which
would be more appropriate for the technical committee to comment on,
given there's some disagreement regarding it.  I don't believe this
is any reason to claim that using symlinks as configuration is an RC

As an aside, I'd probably side with the maintainer on this one (not that
I'm on the TC anyway).  I don't really see being audited as being
'commercial' in some kind of bad way.  Third-party audits are very
common and required by some governments (like the US) when working with
sensitive information.  There's not exactly *fun* but having an external
conflict-free entity performing an audit is generally something I
consider a good thing.

> Would you edit the files in /etc/alternatives with an editor?

No, but you certainly might use 'cp' to overwrite them if you're don't
realize they're symlinks.

> I see your point. However, /etc/alternatives deserves a special
> treatment as it is unique in what it does and integrates with the
> whole system.

I really don't see how you can argue that it's acceptable for
alternatives but not for ca-certificates.  I don't see that alternatives
being unique in what it does overall (as most packages are...) as 
meaning that things which it does (symlinks as configuration) are only 
acceptable for it to use.  Either symlinks as configuration is bad and
should be done away with entirely, or they're acceptable and any package
is free to use them.



Attachment: signature.asc
Description: Digital signature

Reply to: