On Friday 02 August 2013, Ludwig Nussel wrote:
Ruediger Meier wrote:
On Thursday 01 August 2013, Ludwig Nussel wrote:
I'm actually more worried about /etc/ssl/certs. Ideally it should be replaced by a read only bind mount to /var/lib/ca-certificates/pem but I fear that admins put certs there (that are now completely ignored).
Please not another bind mount. If I as an admin want to try something out quick and dirty I really hate such artificial restrictions to protect me against my own stupidity.
quick and dirty would still work if you put the files into /var/lib/ca-certificates/pem instead of /etc/ssl/certs.
That's not so quick and IMO not even dirty. Knowing about /var/lib/ca-certificates/pem and calling update-ca-certificates implies that I know already about the suse 13.1 way how and where to install certs. On earlier suse and other distros it would be another way. On current suse distros I would have used /usr/share/ca-certificates/. So I guess we should still use this path for compatibility.
Couldn't we avoid that update-ca-certificates wipes out /etc/ssl/certs completely. Would it work to use a subdir and to not touch admin's files?
I think /etc/ssl/certs has to be kept filled with certificates for compatibility for a while. So we have to fill it somehow. Right now that happens by putting hundreds of symlinks to individual certs into /etc/ssl/certs. IMO it would be better to not mess with /etc all the time, so making either /etc/ssl/certs itself a symlink or making it a bind mount would be options. Replacing directories with symlinks is not exactly something rpm likes though ...
Just checked again, On opensuse 11.4 (and probably still on 12.3) custom files in /etc/ssl/certs/ were not removed by update-ca-certificates. IMO we should keep that behavior if possible. update-ca-certificates only creates symlinks to it's well known paths, Why not only removing exactly such symlinks. cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org