Re: ca-certificates symlinks out of /etc

To: Debian Development <debian-devel@lists.debian.org>
Cc: Fumitoshi UKAI <ukai@debian.or.jp>
Subject: Re: ca-certificates symlinks out of /etc
From: Joey Schulze <joey@infodrom.org>
Date: Sat, 4 Nov 2006 12:52:03 +0100
Message-id: <[🔎] 20061104115203.GA25836@finlandia.home.infodrom.org>
In-reply-to: <20061031181045.GA20364@piper.madduck.net>
References: <20061031181045.GA20364@piper.madduck.net>

martin f krafft wrote:
> ca-certificates installs about 100 certificates into
> /etc/ssl/certs. However, these are not actually dropped into the
> directory; instead, symlinks into /usr/share are put in place:
> 
> piper:/etc/ssl/certs# ls -la /etc/ssl/certs/cacert.org.pem
> lrwxrwxrwx 1 root root 52 2006-10-31 18:56 /etc/ssl/certs/cacert.org.pem -> /usr/share/ca-certificates/cacert.org/cacert.org.crt
> 
> Since #350282 is still being discussed, I ended up doing
> 
>   cat /etc/ssl/certs/cacert-class3.pem >> /etc/ssl/certs/cacert.pem

Is /etc/ssl/certs/cacert.pem a configuration file at all?  I.e. is it
meant to be site-edited/admin-edited?  I would assume that all "files"
in /etc/ssl/certs/ contain only one certificate / upstream certificate
source.

> on systems that needed access to all of CACert's certificates.

Hmm.  Why are the certificates in /etc/ssl/certs/cacert.pem used but
not those from /etc/ssl/certs/cacert-class3.pem?

There was a debconf question in which you could configure which
certificates you want to accept.  Maybe you could accept the
cacert-class3 certificate as well?

> The recent ca-certificates upgrade overwrote this "configuration"
> simply because my /bin/cat call actually changed a file in
> /usr/share, where changes by the admin are not preserved. Yet, due
> to the links in /etc/ssl/certs, the admin is given the impression
> that these are configuration files and can thus be edited according
> to Debian's holy conffile handling policy.

Even worse, the directory listing is totally unreadable because of the
large number of certificates and links in this directory.  Navigating
through it is no fun...

> I consider this a bug, and even release-critical, and would say that
> ca-certificates should use ucf to maintain the certificates in
> /etc/ssl/certs. Arguments against that are to keep /etc small, but
> at 444k I don't see ca-certificates being a culprit.

Maybe one improvement would be to reduce the number of links in this
directory to one per certificate.  Currently for each certificate
provided by ca-certificates the certificate has a link to /usr/share/..
and the hash has a link to the other link.  Wouldn't it be possible to
only create the hash link as a symbolic link to /usr/share/...?

> Please don't tell me to use an editor that writes a new inode when
> changing files. It's not a solution to the problem, even though it
> would address the symptom.

.oO( delink )

Regards,

	Joey

-- 
Reading is a lost art nowadays.  -- Michael Weber

Please always Cc to me when replying to me on the lists.

Reply to:

Follow-Ups:
- Re: ca-certificates symlinks out of /etc
  - From: martin f krafft <madduck@debian.org>
- Re: ca-certificates symlinks out of /etc
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Re: ITP: libauthen-simple-perl -- Simple and consistent framework for authentication
Next by Date: Re: ca-certificates symlinks out of /etc
Previous by thread: Re: ca-certificates symlinks out of /etc
Next by thread: Re: ca-certificates symlinks out of /etc
Index(es):
- Date
- Thread