[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ca-certificates symlinks out of /etc

On Thu, Nov 02, 2006 at 12:01:12PM +0100, martin f krafft wrote:

> Anyway, thanks for the discussion. I don't think I heard a single
> argument for using symlinks, other than to save 440k of space in
> /etc.

Symlinks just make _sense_. It's the idiocy of other OSes to duplicate
data because they have no proper notion of symlinks. I always hate
arguments like this to "make things worse for people who know UNIX
because there are some dumb users who don't".

So, here is a constructive solution for those who do not like symlinks
in /etc:

- Rebuild OpenSSL with X509_CERT_DIR in crypto/cryptlib.h defined as
  "/etc/ssl/certs:/var/ssl/certs". I did not test it, but looking at the
  OpenSSL sources It Should Just Work.

- Change ca-certificates to create the symlinks in /var/ssl/certs
  instead in /etc/ssl/certs, and make it clear that the user should not
  manually alter the contents of /var/ssl/certs or else he/she should
  keep both pieces when something breaks.

- Declare /etc/ssl/certs to be the playground of the local sysadmin. No
  package should touch anything inside it.

That gives you the best of both wolds with minimal efforts.


     MTA SZTAKI Computer and Automation Research Institute
                Hungarian Academy of Sciences

Reply to: