Hi. Was on a dCache workshop and hadn't time to answer before...
On Mon, 2012-04-16 at 16:08 +0200, Dennis van Dok wrote: > > I'm not sure what I prefer: > > a) ship/create symlinks for both formats > I went with a) at the moment. That is what 'upstream' does and it's > really handy for legacy software. Well,.. as said I'm unsure myself... I think software wise it's not needed for Debian,.. the transition to ssl1.x is complete, isn't it, so there is no legacy software in Debian. One argument against shipping both formats is, that openssl always at least stats all files in the respective dirs... So this could mean that for every access you get twice as many stats on files as needed... > > But I guess this is a separate debconf thingy,... configuring what you > > put in /etc/grid-security and not the one from ca-certificates? > yes :) > > /etc/grid-security should then _only_ contain symlinks, IMHO. > Agreed, and that's how it works. :) > Rather than start a lot of fuss here...maybe TERENA could be included in > the ca-certificates package. It takes only a couple of sponsors IIRC. Would perhaps make sense... > I haven't given the metapackage a thought yet. I also don't see the need > as there are just three packages for all the accredited stuff. Better to > make it a conscious choice. I personally usually prefer having meta-packages, well at least if they don't force you to install more than really necessary (e.g. the gnome metapackages in debian depend one many useless crap, where a recommends would be enough IMHO). Anyway,... given that you need to somehwere put the logic for the /etc/grid-security handling,... a ca-certificates-igtf (meta-)package could be a good place, IMHO > > No I don't mean older versions... > > IGTF updates quite often... once the packages are in stable (e.g. > > wheezy) we still would need to update it... > > I guess "stable-updates" is what this is called in the meantime. > Sure, if upstream brings out a new version, the Debian stable package > would have to be updated. Isn't this essentially a security fix? Well not sure... strictly speaking I don't think so... If a CA was broken, and therefore be removed,.. that would be a security fix. If a CA was no longer member of IGTF,.. that could be a security fix,... but already questionable. If just adding CAs.... surely no security fix. > > I thought David Groep is from NIKHEF? And he signed the key that is used > > to sign the eugridpma distripution key... > Well, sure. And I'll take his word that it's the right bundle ;-) He's > practically in the next office. :) > I can promise that I will diligently check the signatures, but then > you'll have to trust me that I will do as I say... Obviously,... but that's the trust relation users have to Debian ;) Chris.
smime.p7s
Description: S/MIME cryptographic signature
