* martin f krafft (madduck@debian.org) wrote: > also sprach Stephen Frost <sfrost@snowman.net> [2006.10.31.2103 +0100]: > > > How are certificate files not intended to be modified? If they > > > expire? If they are incomplete? > > > > If they expire then they should be updated by the package. > > The problem with ca-certificate is that it follows policies which > I don't fully agree with. CAcert's level 3 certificate is not > included because CAcert has not been audited -- that process by > itself just smells commercial to me. I don't see this as relevant to the debate about using symlinks in /etc. > The package allows the user to cherry-pick the certificates to > enable anyway; why preselect? Because it's much more common for users to want at least some set of certificates enabled on installation. > > file, if you mean that some certificates are missing, then you're > > certainly free to add those into that directory as regular files, > > or to ask for inclusion of them in the package). > > I don't want to maintain local certificates across the dozens of > machines on which I need them. And the package maintainer doesn't > seem too cooperative. See e.g. #352248 which has not received a note > yet. What certificates are included and why sounds like an issue which would be more appropriate for the technical committee to comment on, given there's some disagreement regarding it. I don't believe this is any reason to claim that using symlinks as configuration is an RC bug. As an aside, I'd probably side with the maintainer on this one (not that I'm on the TC anyway). I don't really see being audited as being 'commercial' in some kind of bad way. Third-party audits are very common and required by some governments (like the US) when working with sensitive information. There's not exactly *fun* but having an external conflict-free entity performing an audit is generally something I consider a good thing. > Would you edit the files in /etc/alternatives with an editor? No, but you certainly might use 'cp' to overwrite them if you're don't realize they're symlinks. > I see your point. However, /etc/alternatives deserves a special > treatment as it is unique in what it does and integrates with the > whole system. I really don't see how you can argue that it's acceptable for alternatives but not for ca-certificates. I don't see that alternatives being unique in what it does overall (as most packages are...) as meaning that things which it does (symlinks as configuration) are only acceptable for it to use. Either symlinks as configuration is bad and should be done away with entirely, or they're acceptable and any package is free to use them. Thanks, Stephen
Attachment:
signature.asc
Description: Digital signature