[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ca-certificates symlinks out of /etc

On Thu, Nov 02, 2006 at 12:01:12PM +0100, martin f krafft wrote:

> Anyway, thanks for the discussion. I don't think I heard a single
> argument for using symlinks, other than to save 440k of space in
> /etc.

Symlinks just make _sense_. It's the idiocy of other OSes to duplicate
data because they have no proper notion of symlinks. I always hate
arguments like this to "make things worse for people who know UNIX
because there are some dumb users who don't".

So, here is a constructive solution for those who do not like symlinks
in /etc:

- Rebuild OpenSSL with X509_CERT_DIR in crypto/cryptlib.h defined as
  "/etc/ssl/certs:/var/ssl/certs". I did not test it, but looking at the
  OpenSSL sources It Should Just Work.

- Change ca-certificates to create the symlinks in /var/ssl/certs
  instead in /etc/ssl/certs, and make it clear that the user should not
  manually alter the contents of /var/ssl/certs or else he/she should
  keep both pieces when something breaks.

- Declare /etc/ssl/certs to be the playground of the local sysadmin. No
  package should touch anything inside it.

That gives you the best of both wolds with minimal efforts.

Gabor

-- 
     ---------------------------------------------------------
     MTA SZTAKI Computer and Automation Research Institute
                Hungarian Academy of Sciences
     ---------------------------------------------------------
Reply to: