[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ca-certificates symlinks out of /etc

martin f krafft wrote:
> ca-certificates installs about 100 certificates into
> /etc/ssl/certs. However, these are not actually dropped into the
> directory; instead, symlinks into /usr/share are put in place:
> piper:/etc/ssl/certs# ls -la /etc/ssl/certs/cacert.org.pem
> lrwxrwxrwx 1 root root 52 2006-10-31 18:56 /etc/ssl/certs/cacert.org.pem -> /usr/share/ca-certificates/cacert.org/cacert.org.crt
> Since #350282 is still being discussed, I ended up doing
>   cat /etc/ssl/certs/cacert-class3.pem >> /etc/ssl/certs/cacert.pem

Is /etc/ssl/certs/cacert.pem a configuration file at all?  I.e. is it
meant to be site-edited/admin-edited?  I would assume that all "files"
in /etc/ssl/certs/ contain only one certificate / upstream certificate

> on systems that needed access to all of CACert's certificates.

Hmm.  Why are the certificates in /etc/ssl/certs/cacert.pem used but
not those from /etc/ssl/certs/cacert-class3.pem?

There was a debconf question in which you could configure which
certificates you want to accept.  Maybe you could accept the
cacert-class3 certificate as well?

> The recent ca-certificates upgrade overwrote this "configuration"
> simply because my /bin/cat call actually changed a file in
> /usr/share, where changes by the admin are not preserved. Yet, due
> to the links in /etc/ssl/certs, the admin is given the impression
> that these are configuration files and can thus be edited according
> to Debian's holy conffile handling policy.

Even worse, the directory listing is totally unreadable because of the
large number of certificates and links in this directory.  Navigating
through it is no fun...

> I consider this a bug, and even release-critical, and would say that
> ca-certificates should use ucf to maintain the certificates in
> /etc/ssl/certs. Arguments against that are to keep /etc small, but
> at 444k I don't see ca-certificates being a culprit.

Maybe one improvement would be to reduce the number of links in this
directory to one per certificate.  Currently for each certificate
provided by ca-certificates the certificate has a link to /usr/share/..
and the hash has a link to the other link.  Wouldn't it be possible to
only create the hash link as a symbolic link to /usr/share/...?

> Please don't tell me to use an editor that writes a new inode when
> changing files. It's not a solution to the problem, even though it
> would address the symptom.

.oO( delink )



Reading is a lost art nowadays.  -- Michael Weber

Please always Cc to me when replying to me on the lists.

Reply to: