[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RFC: raising ca-certificates package Priority to standard or important

[bcc: {openssl,ca-certificates}@packages.d.o]


the ca-certificates package is currently "Priority: optional", like most
of the archive.  It's Recommended by a bunch of packages, Depended on by
an equivalent number, but I'm not sure if this is optimal.  I suspect
most packages can be configured to use a different trust store; and that
in many deployments you may want to use a private PKI, or limit trust to
a specific subset of the global public CAs, so in that sense `Depends'
on ca-certificates is not quite correct.  On the other hand it's less
likely to run into "user disabled Recommends, and run into unexpected TLS
server auth failures" kind of situations.

So I'd like to raise the priority of ca-certificates from optional to
at least standard, as a signal that it should be installed on
non-minimal Debian systems.  I'll note that ca-certificates depends on
the openssl binary package which would thus effectively also become
standard (or important, if we go that route), if it isn't already.

Before asking ftpmasters to make that change I wanted to ask this group
if there were downsides to it that I haven't considered.  And which of
standard or important made most sense (AIUI, standard means "installed
by default in d-i" and important means "installed by default in


Reply to: