martin f krafft wrote: > ca-certificates installs about 100 certificates into > /etc/ssl/certs. However, these are not actually dropped into the > directory; instead, symlinks into /usr/share are put in place: > > piper:/etc/ssl/certs# ls -la /etc/ssl/certs/cacert.org.pem > lrwxrwxrwx 1 root root 52 2006-10-31 18:56 /etc/ssl/certs/cacert.org.pem -> > /usr/share/ca-certificates/cacert.org/cacert.org.crt > > Since #350282 is still being discussed, I ended up doing > > cat /etc/ssl/certs/cacert-class3.pem >> /etc/ssl/certs/cacert.pem
Is /etc/ssl/certs/cacert.pem a configuration file at all? I.e. is it meant to be site-edited/admin-edited? I would assume that all "files" in /etc/ssl/certs/ contain only one certificate / upstream certificate source. > on systems that needed access to all of CACert's certificates. Hmm. Why are the certificates in /etc/ssl/certs/cacert.pem used but not those from /etc/ssl/certs/cacert-class3.pem? There was a debconf question in which you could configure which certificates you want to accept. Maybe you could accept the cacert-class3 certificate as well? > The recent ca-certificates upgrade overwrote this "configuration" > simply because my /bin/cat call actually changed a file in > /usr/share, where changes by the admin are not preserved. Yet, due > to the links in /etc/ssl/certs, the admin is given the impression > that these are configuration files and can thus be edited according > to Debian's holy conffile handling policy. Even worse, the directory listing is totally unreadable because of the large number of certificates and links in this directory. Navigating through it is no fun... > I consider this a bug, and even release-critical, and would say that > ca-certificates should use ucf to maintain the certificates in > /etc/ssl/certs. Arguments against that are to keep /etc small, but > at 444k I don't see ca-certificates being a culprit. Maybe one improvement would be to reduce the number of links in this directory to one per certificate. Currently for each certificate provided by ca-certificates the certificate has a link to /usr/share/.. and the hash has a link to the other link. Wouldn't it be possible to only create the hash link as a symbolic link to /usr/share/...? > Please don't tell me to use an editor that writes a new inode when > changing files. It's not a solution to the problem, even though it > would address the symptom. .oO( delink ) Regards, Joey -- Reading is a lost art nowadays. -- Michael Weber Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]