Re: ca-certificates symlinks out of /etc
martin f krafft wrote:
> ca-certificates installs about 100 certificates into
> /etc/ssl/certs. However, these are not actually dropped into the
> directory; instead, symlinks into /usr/share are put in place:
>
> piper:/etc/ssl/certs# ls -la /etc/ssl/certs/cacert.org.pem
> lrwxrwxrwx 1 root root 52 2006-10-31 18:56 /etc/ssl/certs/cacert.org.pem -> /usr/share/ca-certificates/cacert.org/cacert.org.crt
>
> Since #350282 is still being discussed, I ended up doing
>
> cat /etc/ssl/certs/cacert-class3.pem >> /etc/ssl/certs/cacert.pem
Is /etc/ssl/certs/cacert.pem a configuration file at all? I.e. is it
meant to be site-edited/admin-edited? I would assume that all "files"
in /etc/ssl/certs/ contain only one certificate / upstream certificate
source.
> on systems that needed access to all of CACert's certificates.
Hmm. Why are the certificates in /etc/ssl/certs/cacert.pem used but
not those from /etc/ssl/certs/cacert-class3.pem?
There was a debconf question in which you could configure which
certificates you want to accept. Maybe you could accept the
cacert-class3 certificate as well?
> The recent ca-certificates upgrade overwrote this "configuration"
> simply because my /bin/cat call actually changed a file in
> /usr/share, where changes by the admin are not preserved. Yet, due
> to the links in /etc/ssl/certs, the admin is given the impression
> that these are configuration files and can thus be edited according
> to Debian's holy conffile handling policy.
Even worse, the directory listing is totally unreadable because of the
large number of certificates and links in this directory. Navigating
through it is no fun...
> I consider this a bug, and even release-critical, and would say that
> ca-certificates should use ucf to maintain the certificates in
> /etc/ssl/certs. Arguments against that are to keep /etc small, but
> at 444k I don't see ca-certificates being a culprit.
Maybe one improvement would be to reduce the number of links in this
directory to one per certificate. Currently for each certificate
provided by ca-certificates the certificate has a link to /usr/share/..
and the hash has a link to the other link. Wouldn't it be possible to
only create the hash link as a symbolic link to /usr/share/...?
> Please don't tell me to use an editor that writes a new inode when
> changing files. It's not a solution to the problem, even though it
> would address the symptom.
.oO( delink )
Regards,
Joey
--
Reading is a lost art nowadays. -- Michael Weber
Please always Cc to me when replying to me on the lists.
Reply to: