[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: raising ca-certificates package Priority to standard or important


https is getting everywhere. If you don't have ca's you cannot process them properly.
I think https working is going to be important even for almost all embedded cases.  Most iot deployments
include something like calling the mothership, which ought to be https... apt is generally https.
I guess priority-wise it should be considered part of TLS or libSSL so that whenever one of those is installed, the ca's are also installed.  Again... omitting TLS makes something so crippled as to be next to useless... it's like omitting networking entirely at this point. 

On Fri, Jan 22, 2021 at 6:38 AM Steve McIntyre <steve@einval.com> wrote:
Hey Julien,

On Fri, Jan 22, 2021 at 12:00:56PM +0100, Julien Cristau wrote:
>On Thu, Jan 21, 2021 at 02:47:25PM -0300, Antonio Terceiro wrote:
>> On Thu, Jan 21, 2021 at 03:10:47PM +0100, Julien Cristau wrote:
>> > And which of standard or important made most sense (AIUI, standard
>> > means "installed by default in d-i" and important means "installed by
>> > default in debootstrap").
>> wget is already Priority: standard and recommends ca-certificates, so it
>> seems to me that making it standard would be a noop in practice for most
>> of the systems installed by d-i.
>> On the other hand, all cases that I remember seeing a problem caused by
>> missing ca-certificates was in systems not installed by d-i, such as
>> containers, vm images, etc. Based on that, I would make it important.
>Here's my thinking on this:
>I would expect "standard" to get installed on "general purpose" VM
>images, and "important" *not* to get installed on "minimal" container or
>VM images.  Looking at the docker debian image build script just now[1],
>it seems to pull in required packages + iproute2 and ping, so it has its
>own selection that doesn't include "important" priority.  So changing
>the severity, by itself, won't change anything unless we go all the way
>to "required" which feels like it'd be going too far (but then I also
>don't think apt should be "required").
>If there are specific examples where you think "important" would help
>I'd be interested; right now I'm sort of favouring "standard" as good

Sounds like good logic to me.

Thanks for looking into this!

Steve McIntyre, Cambridge, UK.                                steve@einval.com
Can't keep my eyes from the circling sky,
Tongue-tied & twisted, Just an earth-bound misfit, I...

Reply to: