[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-devel
Subject:    Re: ca-certificates symlinks out of /etc
From:       Gabor Gombas <gombasg () sztaki ! hu>
Date:       2006-11-02 12:45:52
Message-ID: 20061102124551.GF18414 () boogie ! lpds ! sztaki ! hu
[Download RAW message or body]

On Thu, Nov 02, 2006 at 12:01:12PM +0100, martin f krafft wrote:

> Anyway, thanks for the discussion. I don't think I heard a single
> argument for using symlinks, other than to save 440k of space in
> /etc.

Symlinks just make _sense_. It's the idiocy of other OSes to duplicate
data because they have no proper notion of symlinks. I always hate
arguments like this to "make things worse for people who know UNIX
because there are some dumb users who don't".

So, here is a constructive solution for those who do not like symlinks
in /etc:

- Rebuild OpenSSL with X509_CERT_DIR in crypto/cryptlib.h defined as
  "/etc/ssl/certs:/var/ssl/certs". I did not test it, but looking at the
  OpenSSL sources It Should Just Work.

- Change ca-certificates to create the symlinks in /var/ssl/certs
  instead in /etc/ssl/certs, and make it clear that the user should not
  manually alter the contents of /var/ssl/certs or else he/she should
  keep both pieces when something breaks.

- Declare /etc/ssl/certs to be the playground of the local sysadmin. No
  package should touch anything inside it.

That gives you the best of both wolds with minimal efforts.

Gabor

-- 
     ---------------------------------------------------------
     MTA SZTAKI Computer and Automation Research Institute
                Hungarian Academy of Sciences
     ---------------------------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread]