Op 31-03-12 04:47, Christoph Anton Mitterer wrote: > On Sat, 2012-03-31 at 01:38 +0200, Dennis van Dok wrote: >> It's better not to get these things mixed up too much. > Definitely. > I agree that the actual PEM files should be placed > in /usr/share/ca-certificates/ and I'd propose a structure like this: > /usr/share/ca-certificates/igtf/classic > /usr/share/ca-certificates/igtf/slcs > /usr/share/ca-certificates/igtf/mlcs That's *almost* how I've packaged it.
> One thing I just recall: > OpenSSL hash links... pre/post 1.0 format. > > I'm not sure what I prefer: > a) ship/create symlinks for both formats > b) ship/create symlinks for post 1.0 only I went with a) at the moment. That is what 'upstream' does and it's really handy for legacy software. > But I guess this is a separate debconf thingy,... configuring what you > put in /etc/grid-security and not the one from ca-certificates? yes > /etc/grid-security should then _only_ contain symlinks, IMHO. Agreed, and that's how it works. > Not sure if this is easily possible, but it would be nice, if the cert > selection was somehow sorted by the respective PMA.. and perhaps when > you see the country code of the respective CA. I'm not sure how I could easily implement this. I don't see this as such an urgent matter, and as I'm apolitical I don't understand what the fuss is about. > Splitting the file hierarchy would make sense here, as people quickly > recognise which type (i.e. MLCS/SLCS) a cert is of. This is indeed split into different packages. > I revised my idea,.. ALL (that are installed) should show up... but one > should be able to see where they're belonging to, which is easily > possible via the path. Agreed. >> but there may even be some from the 'unaccredited' set >> that you would want to have in ca-certificates (e.g. the TERENA-SSL-CA). > TERENA is in unaccredited,.. damn... > Nevertheless, I think if you follow my idea to split the packages and > make one metapackage, I would NOT depend on the -unaccredited > package.... at most suggest it.. but even that is questionable, because > while specifically TERENA is likely generally useful, for the main > purpose of IGTF it's not. Rather than start a lot of fuss here...maybe TERENA could be included in the ca-certificates package. It takes only a couple of sponsors IIRC. > > For the ca-certifcates part... it's anyway up the the admin to decide > (if he configured ask,... if he did not one can't help him ;) ) > Well on the other hand... uhm... I'm just thinking what a meta package > should do (if you split up).... I haven't given the metapackage a thought yet. I also don't see the need as there are just three packages for all the accredited stuff. Better to make it a conscious choice. > No I don't mean older versions... > IGTF updates quite often... once the packages are in stable (e.g. > wheezy) we still would need to update it... > I guess "stable-updates" is what this is called in the meantime. Sure, if upstream brings out a new version, the Debian stable package would have to be updated. Isn't this essentially a security fix? >>> When you're from NIKHEF you can probably easily get David's OpenPGP key >>> in a secure way to add only securely downloaded igtf bundles to >>> Debian :) >> >> Nothing NIKHEF specific here, > I thought David Groep is from NIKHEF? And he signed the key that is used > to sign the eugridpma distripution key... Well, sure. And I'll take his word that it's the right bundle ;-) He's practically in the next office. I can promise that I will diligently check the signatures, but then you'll have to trust me that I will do as I say... >> I'm all for a further discussion of how to do this properly for Debian; >> I've put a lot of my own thought into this and I've reflected this with >> others, notably the upstream maintainer, but I still consider this very >> much as an initial attempt. > > Well I guess you're on a good way... especially your idea to separate > between ca-certificates an another debconf for grid-security.... > => +1 Thanks, Dennis -- D.H. van Dok :: Software Engineer :: www.nikhef.nl :: www.biggrid.nl Phone +31 20 592 22 28 :: http://www.nikhef.nl/~dennisvd/ -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f8c27e1.7080...@nikhef.nl
