Re: ca-certificates symlinks out of /etc

To: debian developers <debian-devel@lists.debian.org>
Subject: Re: ca-certificates symlinks out of /etc
From: martin f krafft <madduck@debian.org>
Date: Wed, 1 Nov 2006 15:38:31 +0100
Message-id: <[🔎] 20061101143831.GA3841@piper.madduck.net>
Mail-followup-to: debian developers <debian-devel@lists.debian.org>
In-reply-to: <20061031225104.GA3416@kitenet.net> <20061031213847.GA8738@buick.pennace.org> <20061031202227.GB15641@khazad-dum.debian.net> <20061031201904.GB6315@mauritius.dodds.net> <200610312126.31302.elendil@planet.nl> <20061031200359.GH24675@kenobi.snowman.net> <20061031194127.GC8585@buick.pennace.org> <20061031193636.GA9830@glandium.org>
References: <20061031185402.GA10308@piper.madduck.net> <20061031191635.GG24675@kenobi.snowman.net> <20061031193249.GA14247@piper.madduck.net> <20061031194127.GC8585@buick.pennace.org> <20061031181045.GA20364@piper.madduck.net> <20061031184846.GF24675@kenobi.snowman.net> <20061031185402.GA10308@piper.madduck.net> <20061031191635.GG24675@kenobi.snowman.net> <20061031193249.GA14247@piper.madduck.net> <20061031193636.GA9830@glandium.org>

also sprach Stephen Frost <sfrost@snowman.net> [2006.10.31.2103 +0100]:
> > How are certificate files not intended to be modified? If they
> > expire? If they are incomplete?
> 
> If they expire then they should be updated by the package.

The problem with ca-certificate is that it follows policies which
I don't fully agree with. CAcert's level 3 certificate is not
included because CAcert has not been audited -- that process by
itself just smells commercial to me.

The package allows the user to cherry-pick the certificates to
enable anyway; why preselect?

> file, if you mean that some certificates are missing, then you're
> certainly free to add those into that directory as regular files,
> or to ask for inclusion of them in the package).

I don't want to maintain local certificates across the dozens of
machines on which I need them. And the package maintainer doesn't
seem too cooperative. See e.g. #352248 which has not received a note
yet.

also sprach Steve Langasek <vorlon@debian.org> [2006.10.31.2119 +0100]:
> Not release critical.  You're welcome to debate whether it's a bug
> to ever use symlinks in /etc, but Alex is right -- the historical
> understanding of "configuration" here is the symlinks, not the
> targets.

I am not arguing that. I am arguing whether the setup isn't
misleading...

also sprach Joey Hess <joeyh@debian.org> [2006.10.31.2351 +0100]:
> Alex Pennace wrote:
> > >   piper:/etc> sudo find /etc -path /etc/alternatives -prune -o -type l -exec readlink -f {} \; | egrep -v '^/etc' | wc -l 
> > 
> > I'm surprised your report missed one of the most established
> > configuration symlinks of them all: /etc/localtime.
> 
> I was more suprised that it explicitly excluded /etc/alernatives ..

Would you edit the files in /etc/alternatives with an editor?

I see your point. However, /etc/alternatives deserves a special
treatment as it is unique in what it does and integrates with the
whole system.

-- 
Please do not send copies of list mail to me; I read the list!

 .''`.   martin f. krafft <madduck@debian.org>
: :'  :  proud Debian developer, author, administrator, and user
`. `'`   http://people.debian.org/~madduck - http://debiansystem.info
  `-  Debian - when you have better things to do than fixing systems

"the vast majority of our imports come from outside the country."  
                                                      - george w. bush

Attachment: signature.asc
Description: Digital signature (GPG/PGP)

Reply to:

Follow-Ups:
- Re: ca-certificates symlinks out of /etc
  - From: Stephen Frost <sfrost@snowman.net>

Prev by Date: Bug#388569: marked as done (general: always printed in letter format)
Next by Date: Re: ca-certificates symlinks out of /etc
Previous by thread: Re: ca-certificates symlinks out of /etc
Next by thread: Re: ca-certificates symlinks out of /etc
Index(es):
- Date
- Thread