On (03/07/06 23:34), Petter Reinholdtsen wrote: > > [Jaldhar H. Vyas] > > Is this is a good idea for Debian? I think it is but it doesn't make > > sense to switch dovecot over unless all the other ssl-cert using > > packages also do it. Is this possible in the etch timeframe? > > Yes, it is a good idea to make the SSL certificate handling in Debian > packages more consistent. In Debian-Edu, we install and automatically > configure several services with SSL certiciates, like imap, ldap and > webmin, and it is a pain to handle all the ways SSL-certificates are > generated. :) >
So, as this proposal seemed to provoke a response that was somewhere between non-caring and enthusiastic I thought I would look in to the possibility of doing this. An estimate of the pacakages that generate a certificate in postinst (lets hope there are none that include them in the package) I tried: $ grep-available -FDepends openssl -sPackage -n | sort apache-ssl apache2-common ca-certificates courier-imap-ssl courier-ssl dovecot-common dsniff ejabberd exim-tls freeswan ftpd-ssl httping ipopd libapache-mod-ssl libmultisync-plugin-syncml nessusd openoffice.org-core partimage-server python-pyopenssl ssl-cert ssleay sslwrap stone-ssl stunnel stunnel4 telnetd-ssl tinyca ultrapossum-tls usermin uw-imapd webmin which is a reasonable number (especially as some of these will be false-posistives). So then to see how ssl-cert is actually used I downloaded the source of apache2 and looked in debian/apache2-common.postinst where I found # Make self-signed certificate #if [ ! -f /etc/apache2/ssl/apache.pem ] #then # /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf # /etc/apache2/ssl/apache.pem #fi So looking in the changelog.debian I found the following apache2 (2.0.48-8) unstable; urgency=low * Disable ssl-cert until it sucks less. related to 230791 (closes: #231726) -- Thom May <[EMAIL PROTECTED]> Mon, 2 Feb 2004 12:47:10 +0000 (that is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=230791 and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=231726, http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=ssl-cert is also quite enlightening) So, it seems the only packages in Debian that use ssl-cert don't actually at the moment. So it seems like ssl-cert needs some work before it can be used by more packages. The maintainers of ssl-cert are the apache maintainers themselves, so it doesn't look like they'll be sorting it out soon. I am willing to work a bit on getting it in to shape, does anyone want to volunteer to help out and then create patches for all the necessary packages? James -- James Westby [EMAIL PROTECTED] http://jameswestby.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]