On Thu, Aug 15, 2019 at 03:54:54PM +0000, Holger Levsen wrote: > On Thu, Aug 15, 2019 at 02:38:33PM +0000, Debian FTP Masters wrote: > > Source: debian-edu-config > > Version: 2.10.67 > [...] > > debian-edu-config.fetch-ldap-cert: > > - Fully inline-document fetch-ldap-cert script. > > this is really great > > > - White-space-only change: Fix broken and inconsistent indentations. > > looking at the debdiff between in whats in stable and this it seems this > is mostly not visible because its basically/almost a rewrite anyway: > > $ debdiff debian-edu-config_2.10.65.dsc debian-edu-config_2.10.67.dsc|diffstat > Makefile | 2 > cf3/cf.finalize | 52 + > cf3/cf.homes | 2 > cf3/cf.workarounds | 16 > cf3/edu.cf | 1 > debian/changelog | 96 +++ > debian/control | 2 > debian/debian-edu-config.fetch-ldap-cert | 283 ++++++++-- > debian/debian-edu-config.postinst | 14 > etc/ltsp/ltsp-build-client.conf | 2 > etc/network/if-up.d/hostname | 43 - > share/debian-edu-config/d-i/finish-install | 31 - > share/debian-edu-config/edu-firefox-nfs | 1 > share/debian-edu-config/sudo-ldap.conf | 1 > share/debian-edu-config/tools/create-debian-edu-certs | 2 > share/debian-edu-config/tools/kerberos-kdc-init | 5 > share/ltsp/plugins/ltsp-build-client/Debian-custom/001-ltsp-settings | 4 > 17 files changed, 418 insertions(+), 139 deletions(-) > > (so maybe it would have been wiser not to mention the white-space only changes, > as the release team really dislikes them.)\ > > however/anyway, I'm not sure we can get this past the release team for > the stable point release. we might. we think all these changes are > useful/needed for stable, right? Useful, yes; but IMO we could get along for Buster without the fetch-ldap-cert related changes introduced in d-e-c 2.10.67 in case the stable release team dislikes these. Among improved checks for a lot of possible failures, the rewrite has the benefit of validating the LDAP server certificate against the Debian Edu rootCA one (the version shipped with d-e-c 2.10.66 did this against the bundle-crt certificate). Both are downloaded from www.intern, as opposed to the LDAP server cert that is fetched from the LDAP server itself. The bundle certificate contains the Debian Edu rootCA certificate and the multipurpose server certificate (as a chain). This server certificate is used for all configured Debian Edu server services, included the LDAP service. While using the single Debian Edu rootCA certificate for validation is the better way to go, the bundle certificate can be used as well. Another improvement of the fetch-ldap-cert script shipped with d-e-c 2.10.67 is the use of independent conditions for host and LTSP chroot (instead of the global condition introduced with commit f8f436e); but then the drawback caused by this change for LTSP chroots has also been dealt with via d-e-c 2.10.66 fixes. Mike, please comment. Wolfgang
Attachment:
signature.asc
Description: PGP signature