Kurt Roeckx wrote:
> > > > Maybe one improvement would be to reduce the number of links in this
> > > > directory to one per certificate. Currently for each certificate
> > > > provided by ca-certificates the certificate has a link to /usr/share/..
> > > > and the hash has a link to the other link
also sprach Kurt Roeckx <[EMAIL PROTECTED]> [2006.11.04.1448 +0100]:
> It seems there is an update-ca-certificates, which has a config file
> (/etc/ca-certificates.conf) that says which certificates should be
> enabled.
... at which point it's really pointless to argue that the symlinks
to /usr/sh
On Sat, Nov 04, 2006 at 02:30:54PM +0100, Joey Schulze wrote:
> Kurt Roeckx wrote:
> > On Sat, Nov 04, 2006 at 12:52:03PM +0100, Joey Schulze wrote:
> > >
> > > Maybe one improvement would be to reduce the number of links in this
> > > directory to one per certificate. Currently for each certific
Kurt Roeckx wrote:
> On Sat, Nov 04, 2006 at 12:52:03PM +0100, Joey Schulze wrote:
> >
> > Maybe one improvement would be to reduce the number of links in this
> > directory to one per certificate. Currently for each certificate
> > provided by ca-certificates the certificate has a link to /usr/s
On Sat, Nov 04, 2006 at 12:52:03PM +0100, Joey Schulze wrote:
>
> Maybe one improvement would be to reduce the number of links in this
> directory to one per certificate. Currently for each certificate
> provided by ca-certificates the certificate has a link to /usr/share/..
> and the hash has a
also sprach Joey Schulze <[EMAIL PROTECTED]> [2006.11.04.1315 +0100]:
> Hmm, why don't you use a CAfile which is not provided by the
> package but one that is created by you on your own and which only
> incorporates the certificates you want to accept? That way you
> won't interfer with packaging.
martin f krafft wrote:
> also sprach Joey Schulze <[EMAIL PROTECTED]> [2006.11.04.1252 +0100]:
> > Hmm. Why are the certificates in /etc/ssl/certs/cacert.pem used but
> > not those from /etc/ssl/certs/cacert-class3.pem?
>
> Because I had to disable the use of CAdir and use CAfile instead,
> due t
also sprach Joey Schulze <[EMAIL PROTECTED]> [2006.11.04.1252 +0100]:
> Hmm. Why are the certificates in /etc/ssl/certs/cacert.pem used but
> not those from /etc/ssl/certs/cacert-class3.pem?
Because I had to disable the use of CAdir and use CAfile instead,
due to performance issues:
http://peo
martin f krafft wrote:
> ca-certificates installs about 100 certificates into
> /etc/ssl/certs. However, these are not actually dropped into the
> directory; instead, symlinks into /usr/share are put in place:
>
> piper:/etc/ssl/certs# ls -la /etc/ssl/certs/cacert.org.pem
> lrwxrwxrwx 1 root root
also sprach Gabor Gombas <[EMAIL PROTECTED]> [2006.11.02.1345 +0100]:
> Symlinks just make _sense_. It's the idiocy of other OSes to duplicate
> data because they have no proper notion of symlinks. I always hate
> arguments like this to "make things worse for people who know UNIX
> because there ar
also sprach Gabor Gombas <[EMAIL PROTECTED]> [2006.11.02.1443 +0100]:
> Certificates are not configuration files so they should not be in
> /etc.
>
> On the other hand, the decision of which certificate files should
> be USED _is_ a configuration decision, so that information should
> be under /etc
On Thu, Nov 02, 2006 at 02:24:33PM +0100, martin f krafft wrote:
> Why do the files need to be in /usr/share at all? Why not provide
> /etc/ssl/certs and /etc/ssl/certs/disabled and let the user use
> /bin/mv to enable/disable them.
Certificates are not configuration files so they should not be i
On Thu, Nov 02, 2006 at 12:01:12PM +0100, martin f krafft wrote:
> Anyway, thanks for the discussion. I don't think I heard a single
> argument for using symlinks, other than to save 440k of space in
> /etc.
Symlinks just make _sense_. It's the idiocy of other OSes to duplicate
data because they
also sprach Stephen Frost <[EMAIL PROTECTED]> [2006.11.01.1605 +0100]:
> > The package allows the user to cherry-pick the certificates to
> > enable anyway; why preselect?
>
> Because it's much more common for users to want at least some set
> of certificates enabled on installation.
Of course. B
On Tue, Oct 31, 2006 at 07:10:45PM +0100, martin f krafft wrote:
> cat /etc/ssl/certs/cacert-class3.pem >> /etc/ssl/certs/cacert.pem
>
> on systems that needed access to all of CACert's certificates.
Btw., mounting /usr read-only is a good way to prevent stupid bugs like
this. You can configur
* martin f krafft ([EMAIL PROTECTED]) wrote:
> also sprach Stephen Frost <[EMAIL PROTECTED]> [2006.10.31.2103 +0100]:
> > > How are certificate files not intended to be modified? If they
> > > expire? If they are incomplete?
> >
> > If they expire then they should be updated by the package.
>
> T
also sprach Stephen Frost <[EMAIL PROTECTED]> [2006.10.31.2103 +0100]:
> > How are certificate files not intended to be modified? If they
> > expire? If they are incomplete?
>
> If they expire then they should be updated by the package.
The problem with ca-certificate is that it follows policies
[Martin F Krafft]
> I consider this a bug, and even release-critical, and would say that
> ca-certificates should use ucf to maintain the certificates in
> /etc/ssl/certs. Arguments against that are to keep /etc small, but
> at 444k I don't see ca-certificates being a culprit.
>
> Comments?
I wou
Alex Pennace wrote:
> > piper:/etc> sudo find /etc -path /etc/alternatives -prune -o -type l
> > -exec readlink -f {} \; | egrep -v '^/etc' | wc -l
>
> I'm surprised your report missed one of the most established
> configuration symlinks of them all: /etc/localtime.
I was more suprised that i
On Tue, Oct 31, 2006 at 05:22:27PM -0300, Henrique de Moraes Holschuh wrote:
> On Tue, 31 Oct 2006, Alex Pennace wrote:
> > I'm surprised your report missed one of the most established
> > configuration symlinks of them all: /etc/localtime. I'm pointing that
> > out in particular because it has bee
On Tuesday 31 October 2006 21:03, Stephen Frost wrote:
> If they expire then they should be updated by the package. One does
> not generally modify issued certificates. If the package isn't
> handling certificate expiration then the point of having them packaged
> at all pretty much goes away. I
On Tue, 31 Oct 2006, Alex Pennace wrote:
> I'm surprised your report missed one of the most established
> configuration symlinks of them all: /etc/localtime. I'm pointing that
> out in particular because it has been around for as long as I can
> remember, and serves its configuration function by po
On Tue, Oct 31, 2006 at 07:10:45PM +0100, martin f krafft wrote:
> The recent ca-certificates upgrade overwrote this "configuration"
> simply because my /bin/cat call actually changed a file in
> /usr/share, where changes by the admin are not preserved. Yet, due
> to the links in /etc/ssl/certs, th
* martin f krafft ([EMAIL PROTECTED]) wrote:
> also sprach Stephen Frost <[EMAIL PROTECTED]> [2006.10.31.2016 +0100]:
> > In all of these cases the files pointed to are not intended to be
> > modified but what file is used can be configured.
>
> How are certificate files not intended to be modifie
On Tue, Oct 31, 2006 at 08:32:49PM +0100, martin f krafft wrote:
> also sprach Stephen Frost <[EMAIL PROTECTED]> [2006.10.31.2016 +0100]:
> > In all of these cases the files pointed to are not intended to be
> > modified but what file is used can be configured.
>
> How are certificate files not in
On Tue, Oct 31, 2006 at 08:32:49PM +0100, martin f krafft <[EMAIL PROTECTED]>
wrote:
> also sprach Stephen Frost <[EMAIL PROTECTED]> [2006.10.31.2016 +0100]:
> > In all of these cases the files pointed to are not intended to be
> > modified but what file is used can be configured.
>
> How are cer
also sprach Stephen Frost <[EMAIL PROTECTED]> [2006.10.31.2016 +0100]:
> In all of these cases the files pointed to are not intended to be
> modified but what file is used can be configured.
How are certificate files not intended to be modified? If they
expire? If they are incomplete?
--
Please
On Oct 31, martin f krafft <[EMAIL PROTECTED]> wrote:
> I consider this a bug, and even release-critical, and would say that
> ca-certificates should use ucf to maintain the certificates in
I don't. I think that symlinks to files somewhere are a good way to
solve this specific problem.
> /etc/ssl
On Tue, Oct 31, 2006 at 07:54:02PM +0100, martin f krafft wrote:
>
> > cat /the/best/dictionary >> /etc/dictionaries-common/words
>
> I don't see the reason why /etc/dictionaries-common/words should be
> a symlink either. The right way to solve this would be to use
> alternatives and provide a se
* martin f krafft ([EMAIL PROTECTED]) wrote:
> also sprach Stephen Frost <[EMAIL PROTECTED]> [2006.10.31.1948 +0100]:
> > cat /my/favorite/editor >> /etc/alternatives/vi
>
> alternatives are surely an exception, don't you think?
>
> > cat /the/best/dictionary >> /etc/dictionaries-common/words
>
On Tue, Oct 31, 2006 at 07:41:02PM +0100, martin f krafft wrote:
> I am fully aware of this. However, it's misleading, don't you think?
I cannot answer that from the average user perspective. However,
symlinks are quite handy and there is already an established base of
users who are familiar with
also sprach Stephen Frost <[EMAIL PROTECTED]> [2006.10.31.1948 +0100]:
> cat /my/favorite/editor >> /etc/alternatives/vi
alternatives are surely an exception, don't you think?
> cat /the/best/dictionary >> /etc/dictionaries-common/words
I don't see the reason why /etc/dictionaries-common/words s
* martin f krafft ([EMAIL PROTECTED]) wrote:
> Since #350282 is still being discussed, I ended up doing
>
> cat /etc/ssl/certs/cacert-class3.pem >> /etc/ssl/certs/cacert.pem
>
> on systems that needed access to all of CACert's certificates.
cat /my/favorite/editor >> /etc/alternatives/vi
cat /
also sprach Alex Pennace <[EMAIL PROTECTED]> [2006.10.31.1917 +0100]:
> The configuration being preserved is a set of symlinks, not the
> contents of their targets.
I am fully aware of this. However, it's misleading, don't you think?
It's just not very typical for symlinks in /etc to be considered
On Tue, Oct 31, 2006 at 07:10:45PM +0100, martin f krafft wrote:
> Since #350282 is still being discussed, I ended up doing
>
> cat /etc/ssl/certs/cacert-class3.pem >> /etc/ssl/certs/cacert.pem
>
> on systems that needed access to all of CACert's certificates.
>
> The recent ca-certificates up
ca-certificates installs about 100 certificates into
/etc/ssl/certs. However, these are not actually dropped into the
directory; instead, symlinks into /usr/share are put in place:
piper:/etc/ssl/certs# ls -la /etc/ssl/certs/cacert.org.pem
lrwxrwxrwx 1 root root 52 2006-10-31 18:56 /etc/ssl/certs/
36 matches
Mail list logo
